Esc
Spearphishing Attachment - T1566.001
(ATT&CK® Technique)
Definition
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1566001["Spearphishing Attachment"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566001 OffensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic";
click T1566001 href "/offensive-technique/attack/T1566.001/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566001["Spearphishing Attachment"] --> |produces| Email["Email"]; class T1566001 OffensiveTechniqueNode;
class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email";
click T1566001 href "/offensive-technique/attack/T1566.001/"; click Email href "/dao/artifact/d3f:Email"; DecoyFile["Decoy File"] -->
| spoofs | Email["Email"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1566001["Spearphishing Attachment"] ;
class DecoyFile DefensiveTechniqueNode;
class Email ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | Email["Email"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | Email["Email"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | Email["Email"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class Email ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class InboundSessionVolumeAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | Email["Email"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class Email ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class SenderMTAReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderReputationAnalysis["Sender Reputation Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class SenderReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEviction["File Eviction"] -->
| deletes | Email["Email"];
FileEviction["File Eviction"] -.->
| may-evict | T1566001["Spearphishing Attachment"] ;
class FileEviction DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | Email["Email"];
FileEncryption["File Encryption"] -.->
| may-harden | T1566001["Spearphishing Attachment"] ;
class FileEncryption DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Email["Email"];
LocalFilePermissions["Local File Permissions"] -.->
| may-harden | T1566001["Spearphishing Attachment"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class Email ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | Email["Email"];
RestoreFile["Restore File"] -.->
| may-restore | T1566001["Spearphishing Attachment"] ;
class RestoreFile DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1566001["Spearphishing Attachment"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | Email["Email"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1566001["Spearphishing Attachment"] ;
class FileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; EmailRemoval["Email Removal"] -->
| deletes | Email["Email"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1566001["Spearphishing Attachment"] ;
class EmailRemoval DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; InboundTrafficFiltering["Inbound Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundTrafficFiltering["Inbound Traffic Filtering"] -.->
| may-isolate | T1566001["Spearphishing Attachment"] ;
class InboundTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering"; EmailFiltering["Email Filtering"] -->
| filters | Email["Email"];
EmailFiltering["Email Filtering"] -.->
| may-isolate | T1566001["Spearphishing Attachment"] ;
class EmailFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailFiltering href "/technique/d3f:EmailFiltering"; RestoreEmail["Restore Email"] -->
| restores | Email["Email"];
RestoreEmail["Restore Email"] -.->
| may-restore | T1566001["Spearphishing Attachment"] ;
class RestoreEmail DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreEmail href "/technique/d3f:RestoreEmail";