Esc
Phishing - T1566
(ATT&CK® Technique)
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1566["Phishing"] --> |produces| File["File"]; class T1566 OffensiveTechniqueNode; class File ArtifactNode; click File href "/dao/artifact/d3f:File"; click T1566 href "/offensive-technique/attack/T1566/"; click File href "/dao/artifact/d3f:File"; T1566["Phishing"] --> |produces| URL["URL"]; class T1566 OffensiveTechniqueNode; class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL"; click T1566 href "/offensive-technique/attack/T1566/"; click URL href "/dao/artifact/d3f:URL"; T1566["Phishing"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566 OffensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; click T1566 href "/offensive-technique/attack/T1566/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566["Phishing"] --> |produces| Email["Email"]; class T1566 OffensiveTechniqueNode; class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email"; click T1566 href "/offensive-technique/attack/T1566/"; click Email href "/dao/artifact/d3f:Email"; DecoyFile["Decoy File"] --> | spoofs | File["File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1566["Phishing"] ; class DecoyFile DefensiveTechniqueNode; class File ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | Email["Email"]; class DecoyFile DefensiveTechniqueNode; class Email ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | Email["Email"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1566["Phishing"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | Email["Email"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1566["Phishing"] ; class DynamicAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | URL["URL"]; HomoglyphDetection["Homoglyph Detection"] -.-> | May Detect | T1566["Phishing"] ; class HomoglyphDetection DefensiveTechniqueNode; class URL ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | Email["Email"]; class HomoglyphDetection DefensiveTechniqueNode; class Email ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; URLAnalysis["URL Analysis"] --> | analyzes | URL["URL"]; URLAnalysis["URL Analysis"] -.-> | May Detect | T1566["Phishing"] ; class URLAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLAnalysis href "/technique/d3f:URLAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1566["Phishing"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1566["Phishing"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.-> | May Detect | T1566["Phishing"] ; class InboundSessionVolumeAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1566["Phishing"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1566["Phishing"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1566["Phishing"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] --> | analyzes | Email["Email"]; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.-> | May Detect | T1566["Phishing"] ; class SenderMTAReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] --> | analyzes | Email["Email"]; SenderReputationAnalysis["Sender Reputation Analysis"] -.-> | May Detect | T1566["Phishing"] ; class SenderReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1566["Phishing"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | File["File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1566["Phishing"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class File ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | Email["Email"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class Email ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileRemoval["File Removal"] --> | deletes | Email["Email"]; FileRemoval["File Removal"] -.-> | May Evict | T1566["Phishing"] ; class FileRemoval DefensiveTechniqueNode; class Email ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | File["File"]; class FileRemoval DefensiveTechniqueNode; class File ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; LocalFilePermissions["Local File Permissions"] --> | restricts | File["File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1566["Phishing"] ; class LocalFilePermissions DefensiveTechniqueNode; class File ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | Email["Email"]; class LocalFilePermissions DefensiveTechniqueNode; class Email ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | File["File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1566["Phishing"] ; class FileEncryption DefensiveTechniqueNode; class File ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | Email["Email"]; class FileEncryption DefensiveTechniqueNode; class Email ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1566["Phishing"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreFile["Restore File"] --> | restores | Email["Email"]; RestoreFile["Restore File"] -.-> | May Restore | T1566["Phishing"] ; class RestoreFile DefensiveTechniqueNode; class Email ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | File["File"]; class RestoreFile DefensiveTechniqueNode; class File ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; URLReputationAnalysis["URL Reputation Analysis"] --> | analyzes | URL["URL"]; URLReputationAnalysis["URL Reputation Analysis"] -.-> | May Detect | T1566["Phishing"] ; class URLReputationAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | File["File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1566["Phishing"] ; class FileAnalysis DefensiveTechniqueNode; class File ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | Email["Email"]; class FileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; IdentifierAnalysis["Identifier Analysis"] --> | analyzes | URL["URL"]; IdentifierAnalysis["Identifier Analysis"] -.-> | May Detect | T1566["Phishing"] ; class IdentifierAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click IdentifierAnalysis href "/technique/d3f:IdentifierAnalysis"; InboundTrafficFiltering["Inbound Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundTrafficFiltering["Inbound Traffic Filtering"] -.-> | May Isolate | T1566["Phishing"] ; class InboundTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering"; EmailRemoval["Email Removal"] --> | deletes | Email["Email"]; EmailRemoval["Email Removal"] -.-> | May Evict | T1566["Phishing"] ; class EmailRemoval DefensiveTechniqueNode; class Email ArtifactNode; click EmailRemoval href "/technique/d3f:EmailRemoval"; EmailFiltering["Email Filtering"] --> | filters | Email["Email"]; EmailFiltering["Email Filtering"] -.-> | May Isolate | T1566["Phishing"] ; class EmailFiltering DefensiveTechniqueNode; class Email ArtifactNode; click EmailFiltering href "/technique/d3f:EmailFiltering"; RestoreEmail["Restore Email"] --> | restores | Email["Email"]; RestoreEmail["Restore Email"] -.-> | May Restore | T1566["Phishing"] ; class RestoreEmail DefensiveTechniqueNode; class Email ArtifactNode; click RestoreEmail href "/technique/d3f:RestoreEmail";