Esc
Spearphishing Link - T1566.002
(ATT&CK® Technique)
Definition
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1566002["Spearphishing Link"] --> |produces| URL["URL"]; class T1566002 OffensiveTechniqueNode; class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL"; click T1566002 href "/offensive-technique/attack/T1566.002/"; click URL href "/dao/artifact/d3f:URL"; T1566002["Spearphishing Link"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566002 OffensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; click T1566002 href "/offensive-technique/attack/T1566.002/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566002["Spearphishing Link"] --> |produces| Email["Email"]; class T1566002 OffensiveTechniqueNode; class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email"; click T1566002 href "/offensive-technique/attack/T1566.002/"; click Email href "/dao/artifact/d3f:Email"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class InboundSessionVolumeAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; DecoyFile["Decoy File"] --> | spoofs | Email["Email"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1566002["Spearphishing Link"] ; class DecoyFile DefensiveTechniqueNode; class Email ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | Email["Email"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class DynamicAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | Email["Email"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] --> | analyzes | Email["Email"]; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class SenderMTAReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] --> | analyzes | Email["Email"]; SenderReputationAnalysis["Sender Reputation Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class SenderReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; URLAnalysis["URL Analysis"] --> | analyzes | URL["URL"]; URLAnalysis["URL Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class URLAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLAnalysis href "/technique/d3f:URLAnalysis"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | URL["URL"]; HomoglyphDetection["Homoglyph Detection"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class HomoglyphDetection DefensiveTechniqueNode; class URL ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | Email["Email"]; class HomoglyphDetection DefensiveTechniqueNode; class Email ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; IdentifierActivityAnalysis["Identifier Activity Analysis"] --> | analyzes | URL["URL"]; IdentifierActivityAnalysis["Identifier Activity Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class IdentifierActivityAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | Email["Email"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class Email ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; LocalFilePermissions["Local File Permissions"] --> | restricts | Email["Email"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1566002["Spearphishing Link"] ; class LocalFilePermissions DefensiveTechniqueNode; class Email ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | Email["Email"]; FileEncryption["File Encryption"] -.-> | May Harden | T1566002["Spearphishing Link"] ; class FileEncryption DefensiveTechniqueNode; class Email ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] --> | deletes | Email["Email"]; FileEviction["File Eviction"] -.-> | May Evict | T1566002["Spearphishing Link"] ; class FileEviction DefensiveTechniqueNode; class Email ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1566002["Spearphishing Link"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreFile["Restore File"] --> | restores | Email["Email"]; RestoreFile["Restore File"] -.-> | May Restore | T1566002["Spearphishing Link"] ; class RestoreFile DefensiveTechniqueNode; class Email ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | Email["Email"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class FileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; URLReputationAnalysis["URL Reputation Analysis"] --> | analyzes | URL["URL"]; URLReputationAnalysis["URL Reputation Analysis"] -.-> | May Detect | T1566002["Spearphishing Link"] ; class URLReputationAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; EmailRemoval["Email Removal"] --> | deletes | Email["Email"]; EmailRemoval["Email Removal"] -.-> | May Evict | T1566002["Spearphishing Link"] ; class EmailRemoval DefensiveTechniqueNode; class Email ArtifactNode; click EmailRemoval href "/technique/d3f:EmailRemoval"; EmailFiltering["Email Filtering"] --> | filters | Email["Email"]; EmailFiltering["Email Filtering"] -.-> | May Isolate | T1566002["Spearphishing Link"] ; class EmailFiltering DefensiveTechniqueNode; class Email ArtifactNode; click EmailFiltering href "/technique/d3f:EmailFiltering"; RestoreEmail["Restore Email"] --> | restores | Email["Email"]; RestoreEmail["Restore Email"] -.-> | May Restore | T1566002["Spearphishing Link"] ; class RestoreEmail DefensiveTechniqueNode; class Email ArtifactNode; click RestoreEmail href "/technique/d3f:RestoreEmail"; InboundTrafficFiltering["Inbound Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundTrafficFiltering["Inbound Traffic Filtering"] -.-> | May Isolate | T1566002["Spearphishing Link"] ; class InboundTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering";