T1598.002 Spearphishing Attachment Mappings

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1598.002 Spearphishing Attachment
CA-7 Continuous Monitoring Protects T1598.002 Spearphishing Attachment
CM-2 Baseline Configuration Protects T1598.002 Spearphishing Attachment
CM-6 Configuration Settings Protects T1598.002 Spearphishing Attachment
IA-9 Service Identification and Authentication Protects T1598.002 Spearphishing Attachment
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1598.002 Spearphishing Attachment
SC-44 Detonation Chambers Protects T1598.002 Spearphishing Attachment
SC-7 Boundary Protection Protects T1598.002 Spearphishing Attachment
SI-3 Malicious Code Protection Protects T1598.002 Spearphishing Attachment
SI-4 System Monitoring Protects T1598.002 Spearphishing Attachment
SI-8 Spam Protection Protects T1598.002 Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1598.002 Phishing for Information: Spearphishing Attachment
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1598.002 Phishing for Information: Spearphishing Attachment