1. Home
  2. ATT&CK Techniques
  3. T1566.001 Spearphishing Attachment

T1566.001 Spearphishing Attachment Mappings

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

View in MITRE ATT&CK®

Intel vPro Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-pt Intel Processor Trace Crowdstrike HEED T1566.001 Spearphishing Attachment
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of exploits delivered via spearphishing attachments. These attacks often involve adversaries exploiting vulnerabilities within applications or services to execute malicious code once a user interacts with a compromised attachment, enabling attackers to manipulate system behavior and compromise security. Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This detailed telemetry helps security teams detect abnormal behaviors, such as suspicious execution flows or unexpected interactions triggered by malicious attachments, as well as attempts to hijack legitimate processes. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts that are often used in spearphishing campaigns to gain unauthorized access or deploy malware. By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive spearphishing attacks that may bypass traditional security measures. This proactive approach enables organizations to quickly identify and mitigate exploits delivered through malicious attachments, strengthening the protection of critical systems and reducing the risk of compromise from advanced, targeted cyber threats.
References
  1. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  2. https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf
  3. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability exploitation_technique T1566.001 Spearphishing Attachment
Comments
CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phishing campaigns, and it enables RCE on vulnerable systems.
References
  1. https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild
  2. https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-11882
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2013-0640 Adobe Reader and Acrobat Memory Corruption Vulnerability exploitation_technique T1566.001 Spearphishing Attachment
Comments
This vulnerability is exploited via a maliciously-crafted pdf delivered as an email attachment.
References
  1. https://www.adobe.com/support/security/advisories/apsa13-02.html
CVE-2017-11292 Adobe Flash Player Type Confusion Vulnerability exploitation_technique T1566.001 Spearphishing Attachment
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
  1. https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed
CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability exploitation_technique T1566.001 Spearphishing Attachment
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
  1. https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/
  2. https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/
  3. https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/
CVE-2022-41033 Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability exploitation_technique T1566.001 Spearphishing Attachment
Comments
CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.
References
  1. https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-days-exchange-server-exploit-chain-remains-unpatched
  2. https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-october-2022/
  3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033