Esc
Spearphishing via Service - T1566.003

(ATT&CK® Technique)
Definition

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1566003["Spearphishing via Service"] --> |produces| File["File"]; class T1566003 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "/dao/artifact/d3f:File";
        click T1566003 href "/offensive-technique/attack/T1566.003/"; click File href "/dao/artifact/d3f:File"; T1566003["Spearphishing via Service"] --> |produces| URL["URL"]; class T1566003 OffensiveTechniqueNode;
        class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
        click T1566003 href "/offensive-technique/attack/T1566.003/"; click URL href "/dao/artifact/d3f:URL";                          FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; URLReputationAnalysis["URL Reputation Analysis"] -->
          | analyzes | URL["URL"];

          URLReputationAnalysis["URL Reputation Analysis"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class URLReputationAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis";                           FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1566003["Spearphishing via Service"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1566003["Spearphishing via Service"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1566003["Spearphishing via Service"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                        HomoglyphDetection["Homoglyph Detection"] -->
          | analyzes | URL["URL"];

          HomoglyphDetection["Homoglyph Detection"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class HomoglyphDetection DefensiveTechniqueNode;
          class URL ArtifactNode;
          click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; URLAnalysis["URL Analysis"] -->
          | analyzes | URL["URL"];

          URLAnalysis["URL Analysis"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class URLAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click URLAnalysis href "/technique/d3f:URLAnalysis";       IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
          | analyzes | URL["URL"];

          IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class IdentifierActivityAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis";                              DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1566003["Spearphishing via Service"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                  FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1566003["Spearphishing via Service"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";            FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1566003["Spearphishing via Service"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";
json