T1566 Phishing Mappings

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., User Execution).(Citation: Unit42 Luna Moth)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-04 Information Flow Enforcement Protects T1566 Phishing
CA-07 Continuous Monitoring Protects T1566 Phishing
CM-02 Baseline Configuration Protects T1566 Phishing
CM-06 Configuration Settings Protects T1566 Phishing
IA-09 Service Identification and Authentication Protects T1566 Phishing
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1566 Phishing
SC-44 Detonation Chambers Protects T1566 Phishing
SC-07 Boundary Protection Protects T1566 Phishing
SI-02 Flaw Remediation Protects T1566 Phishing
SI-03 Malicious Code Protection Protects T1566 Phishing
SI-04 System Monitoring Protects T1566 Phishing
SI-08 Spam Protection Protects T1566 Phishing
PUR-AS-E5 Audit Solutions Technique Scores T1566 Phishing
EOP-AntiSpam-E3 AntiSpam Technique Scores T1566 Phishing
EOP-AP-E3 Anti-Phishing Technique Scores T1566 Phishing
EOP-Antimalware-E3 Antimalware Technique Scores T1566 Phishing
ME-MFA-E3 Multi-factor Authentication Technique Scores T1566 Phishing
M365-DEF-ZAP-E3 Zero Hour Auto Purge Technique Scores T1566 Phishing
DO365-TT-E5 Threat Tracker Technique Scores T1566 Phishing
DO365-TPSR-E3 Threat Protection Status Report Technique Scores T1566 Phishing
DO365-TE-E5 Threat Explorer Technique Scores T1566 Phishing
DEF-SecScore-E3 Secure Score Technique Scores T1566 Phishing
DO365-SL-E3 Safe Links Technique Scores T1566 Phishing
DEF-SA-E3 Safe Attachments Technique Scores T1566 Phishing
DEF-SA-E3 Safe Attachments Technique Scores T1566 Phishing
DEF-Quarantine-E3 Quarantine Policies Technique Scores T1566 Phishing
DO365-PSP-E3 Preset Security Policies Technique Scores T1566 Phishing
DEF-IR-E5 Incident Response Technique Scores T1566 Phishing
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1566 Phishing
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1566 Phishing
DO365-AG-E5 App Governance Technique Scores T1566 Phishing
DO365-AS-E3 Anti-Spoofing Technique Scores T1566 Phishing
DEF-AIR-E5 Automated Investigation and Response Technique Scores T1566 Phishing
DO365-ATH-E5 Advanced Threat Hunting Technique Scores T1566 Phishing
DO365-AAP-E5 Advanced Anti-phishing Technique Scores T1566 Phishing
DO365-AAP-E5 Advanced Anti-phishing Technique Scores T1566 Phishing
DO365-AAP-E5 Advanced Anti-phishing Technique Scores T1566 Phishing

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1566.002 Spearphishing Link 30
T1566.001 Spearphishing Attachment 31
T1566.003 Spearphishing via Service 8