1. Home
  2. Techniques
  3. Enterprise
  4. Phishing
  5. Spearphishing via Service

Phishing: Spearphishing via Service

ID Name
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1566.003 Spearphishing via Service
T1566.004 Spearphishing Voice

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.[1] These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

ID: T1566.003
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Linux, Windows, macOS
Version: 2.0
Created: 02 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0130 Ajax Security Team

Ajax Security Team has used various social media channels to spearphish victims.[2]
G0016 APT29

APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.[3]
G1052 Contagious Interview

Contagious Interview has used fake job advertisements and messages sent via social media to spearphish targets.[4][5][6][7][8][9] Contagious Interview has also leveraged hiring websites to solicit victims.[6]
G1012 CURIUM

CURIUM has used social media to deliver malicious files to victims.[10]
G0070 Dark Caracal

Dark Caracal spearphished victims via Facebook and Whatsapp.[1]
G1011 EXOTIC LILY

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.[11]
G0037 FIN6

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[12]
G0032 Lazarus Group

Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.[13]
G0059 Magic Hound

Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[14][15][16]
G1036 Moonstone Sleet

Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.[17]
S1100 Ninja

Ninja has been distributed to victims via the messaging app Telegram.[18]
G0049 OilRig

OilRig has used LinkedIn to send spearphishing links.[19]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[20][21]
G1046 Storm-1811

Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.[22]
G1022 ToddyCat

ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.[18]
G0112 Windshift

Windshift has used fake personas on social media to engage and target victims.[23]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can also automatically quarantine suspicious files.
M1047 Audit

Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts.
M1021 Restrict Web-Based Content

Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1018 User Account Management

Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources.
M1017 User Training

Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0115 Detection Strategy for Spearphishing via a Service across OS Platforms AN0320

Inbound spearphishing attempts delivered via third-party services (e.g., Gmail, LinkedIn messages) leading to malicious file downloads or browser-initiated script execution. Defender view includes correlation of external service logins, unexpected file write operations, and suspicious descendant processes spawned from productivity or browser applications.
AN0321

Use of non-enterprise email or messaging services in Thunderbird, Evolution, or browsers leading to suspicious file downloads and subsequent execution. Defender view includes browser-initiated downloads of unexpected content and shell or interpreter processes launched post-download.
AN0322

Phishing attempts via iCloud Mail, Gmail, or social media apps accessed on macOS systems. Defender view includes Mail.app or Safari downloads of files followed by osascript, Terminal, or abnormal child process execution.

References

  1. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  2. Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
  3. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  4. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
  5. Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.
  6. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  7. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  8. Ryan Sherstobitoff. (2024, October 29). Inside a North Korean Phishing Operation Targeting DevOps Employees. Retrieved October 20, 2025.
  9. Steve Cobb. (2024, October 29). The Job Offer That Wasn’t: How We Stopped an Espionage Plot. Retrieved October 20, 2025.
  10. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  11. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  12. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  1. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
  2. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.
  3. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
  4. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  5. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  6. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  7. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  8. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  9. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  10. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  11. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.