Esc
Spearphishing Link - T1566.002
(ATT&CK® Technique)
Definition
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1566002["Spearphishing Link"] --> |produces| URL["URL"]; class T1566002 OffensiveTechniqueNode;
class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click URL href "/dao/artifact/d3f:URL"; T1566002["Spearphishing Link"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566002 OffensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566002["Spearphishing Link"] --> |produces| Email["Email"]; class T1566002 OffensiveTechniqueNode;
class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click Email href "/dao/artifact/d3f:Email"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | Email["Email"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | Email["Email"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class InboundSessionVolumeAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
| analyzes | URL["URL"];
IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class IdentifierActivityAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | URL["URL"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class URL ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | Email["Email"];
class HomoglyphDetection DefensiveTechniqueNode;
class Email ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; URLAnalysis["URL Analysis"] -->
| analyzes | URL["URL"];
URLAnalysis["URL Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class URLAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLAnalysis href "/technique/d3f:URLAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | Email["Email"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1566002["Spearphishing Link"] ;
class DecoyFile DefensiveTechniqueNode;
class Email ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; SenderReputationAnalysis["Sender Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderReputationAnalysis["Sender Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class SenderReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class SenderMTAReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | Email["Email"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class Email ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEviction["File Eviction"] -->
| deletes | Email["Email"];
FileEviction["File Eviction"] -.->
| may-evict | T1566002["Spearphishing Link"] ;
class FileEviction DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RestoreFile["Restore File"] -->
| restores | Email["Email"];
RestoreFile["Restore File"] -.->
| may-restore | T1566002["Spearphishing Link"] ;
class RestoreFile DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Email["Email"];
LocalFilePermissions["Local File Permissions"] -.->
| may-harden | T1566002["Spearphishing Link"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class Email ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | Email["Email"];
FileEncryption["File Encryption"] -.->
| may-harden | T1566002["Spearphishing Link"] ;
class FileEncryption DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | Email["Email"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class FileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; EmailRemoval["Email Removal"] -->
| deletes | Email["Email"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1566002["Spearphishing Link"] ;
class EmailRemoval DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; RestoreEmail["Restore Email"] -->
| restores | Email["Email"];
RestoreEmail["Restore Email"] -.->
| may-restore | T1566002["Spearphishing Link"] ;
class RestoreEmail DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreEmail href "/technique/d3f:RestoreEmail"; URLReputationAnalysis["URL Reputation Analysis"] -->
| analyzes | URL["URL"];
URLReputationAnalysis["URL Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class URLReputationAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; InboundTrafficFiltering["Inbound Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundTrafficFiltering["Inbound Traffic Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class InboundTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering"; EmailFiltering["Email Filtering"] -->
| filters | Email["Email"];
EmailFiltering["Email Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class EmailFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailFiltering href "/technique/d3f:EmailFiltering";