Phishing: Spearphishing via Service

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

ID: T1566.003
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Linux, Windows, macOS
Data Sources: Anti-virus, SSL/TLS inspection, Web proxy
Version: 2.0
Created: 02 March 2020
Last Modified: 18 October 2020

Procedure Examples

Name Description
Dark Caracal

Dark Caracal spearphished victims via Facebook and Whatsapp.[1]


FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[2]

Lazarus Group

Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.[3]

Magic Hound

Magic Hound used various social media channels to spearphish victims.[4][5][6]


OilRig has used LinkedIn to send spearphishing links.[7]


Windshift has used fake personas on social media to engage and target victims.[8]


Mitigation Description

Anti-virus can also automatically quarantine suspicious files.

Restrict Web-Based Content

Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

User Training

Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.


Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.

Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution or usage of malicious scripts.