Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms.

ID: T1566
Sub-techniques:  T1566.001, T1566.002, T1566.003
Tactic: Initial Access
Platforms: Linux, Office 365, SaaS, Windows, macOS
Data Sources: Anti-virus, Detonation chamber, Email gateway, File monitoring, Mail server, Network intrusion detection system, Packet capture, SSL/TLS inspection, Web proxy
Version: 2.0
Created: 02 March 2020
Last Modified: 18 October 2020

Procedure Examples

Name Description

Dragonfly has used spearphising campaigns to gain access to victims.[1]


GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[2]


Mitigation Description

Anti-virus can automatically quarantine suspicious files.

Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.

Restrict Web-Based Content

Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

User Training

Users can be trained to identify social engineering techniques and phishing emails.


Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.

Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once User Execution occurs.