Spear phishing messages with malicious attachments

From pre-attack
Jump to: navigation, search


This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

Spear phishing messages with malicious attachments
ID PRE-T1144
Tactic Launch


Emails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads.1

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Sending the emails is the simple part, ensuring they make it to the target (e.g., not being filtered) may be challenging. Over time, an adversary refines their techniques to minimize detection by making their emails seem legitimate in structure and content.


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: Many technologies exist to scan content and/or emulate a workstation prior to the target receiving and executing the attachment (detonation chambers) in order to reduce malicious emails and attachments being delivered to the intended target. However, encryption continues to be a stumbling block. In addition, there are a variety of commercial technologies available that enable users to screen for phishing messages and which are designed to enhance email security.