| ID | Name |
|---|---|
| T1566.001 | Spearphishing Attachment |
| T1566.002 | Spearphishing Link |
| T1566.003 | Spearphishing via Service |
| T1566.004 | Spearphishing Voice |
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.[1] Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
| ID | Name | Description |
|---|---|---|
| C0028 | 2015 Ukraine Electric Power Attack |
During the 2015 Ukraine Electric Power Attack, Sandworm Team obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails. [2] |
| G0018 | admin@338 |
admin@338 has sent emails with malicious Microsoft Office documents attached.[3] |
| S0331 | Agent Tesla |
The primary delivered mechanism for Agent Tesla is through email phishing messages.[4] |
| G0130 | Ajax Security Team |
Ajax Security Team has used personalized spearphishing attachments.[5] |
| G0138 | Andariel |
Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[6][7] |
| S0622 | AppleSeed |
AppleSeed has been distributed to victims through malicious e-mail attachments.[8] |
| G0099 | APT-C-36 |
APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.[9] |
| G0006 | APT1 |
APT1 has sent spearphishing emails containing malicious attachments.[10] |
| G0005 | APT12 |
APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.[11][12] |
| G0073 | APT19 |
APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[13] |
| G0007 | APT28 |
APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.[14][15][16][17][18][19][20][21] |
| G0016 | APT29 |
APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[22][23][24][25] |
| G0013 | APT30 |
APT30 has used spearphishing emails with malicious DOC attachments.[26] |
| G0050 | APT32 |
APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.[27][28][29][30][31][32] |
| G0064 | APT33 |
APT33 has sent spearphishing e-mails with archive attachments.[33] |
| G0067 | APT37 |
APT37 delivers malware using spearphishing emails with malicious HWP attachments.[34][35][36] |
| G0082 | APT38 |
APT38 has conducted spearphishing campaigns using malicious email attachments.[37] |
| G0087 | APT39 |
APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[38][39][40] |
| G0096 | APT41 |
APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[41] |
| S0373 | Astaroth |
Astaroth has been delivered via malicious e-mail attachments.[42] |
| S0642 | BADFLICK |
BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[43] |
| S0234 | Bandook |
Bandook is delivered via a malicious Word document inside a zip file.[44] |
| S0268 | Bisonal |
Bisonal has been delivered as malicious email attachments.[45] |
| G1002 | BITTER |
BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[46][47] |
| G0098 | BlackTech |
BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.[48][49] |
| S0520 | BLINDINGCAN |
BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.[50] |
| G0060 | BRONZE BUTLER |
BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[51][52] |
| S1039 | Bumblebee |
Bumblebee has gained execution through luring users into opening malicious attachments.[53][54][55][56] |
| C0011 | C0011 |
During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.[57] |
| C0015 | C0015 |
For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.[58] |
| S0631 | Chaes |
Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.[59] |
| S0660 | Clambling |
Clambling has been delivered to victim's machines through malicious e-mail attachments.[60] |
| G0080 | Cobalt Group |
Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[61][62][63][64][65][66][67][68] |
| G0142 | Confucius |
Confucius has crafted and sent victims malicious attachments to gain initial access.[69] |
| G1012 | CURIUM |
CURIUM has used phishing with malicious attachments for initial access to victim environments.[70] |
| S1014 | DanBot |
DanBot has been distributed within a malicious Excel attachment via spearphishing emails.[71] |
| S1111 | DarkGate |
DarkGate can be distributed through emails with malicious attachments from a spoofed email address.[72] |
| G0012 | Darkhotel |
Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.[73][74] |
| G0079 | DarkHydrus |
DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][75][76] |
| S1066 | DarkTortilla |
DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.[77] |
| S0673 | DarkWatchman |
DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file.[78] |
| G0035 | Dragonfly |
Dragonfly has sent emails with malicious attachments to gain initial access.[79] |
| G0066 | Elderwood |
Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[80][81] |
| S0367 | Emotet |
Emotet has been delivered by phishing emails containing attachments. [82][83][84][85][86][87][88][89][90] |
| S0634 | EnvyScout |
EnvyScout has been distributed via spearphishing as an email attachment.[91] |
| G1011 | EXOTIC LILY |
EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.[92][53] |
| G0137 | Ferocious Kitten |
Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.[93] |
| G0085 | FIN4 |
FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros. |