Internal Spearphishing

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.[1]

Adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.[1] The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.[2]

ID: T1534
Sub-techniques:  No sub-techniques
Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: User
Contributors: Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC); Tim MalcomVetter
Version: 1.2
Created: 04 September 2019
Last Modified: 08 March 2022

Procedure Examples

ID Name Description
G0047 Gamaredon Group

Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.[3]


HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.[4]

G0094 Kimsuky

Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.[5]

G0065 Leviathan

Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[6]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.[7]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.[1]

DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.