Spearphishing Attachment

From enterprise
Jump to: navigation, search
Spearphishing Attachment
ID T1193
Tactic Initial Access
Platform Linux, Windows, macOS
Data Sources File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway

Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.


  • APT28 sent spearphishing emails with Microsoft Excel attachments containing malicious macro scripts.1
  • APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims. 2
  • APT37 has used weaponized spearphishing attachments to deliver malware.3
  • Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.45
  • FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.678
  • Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.9
  • Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.10
  • MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.1112
  • PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.13
  • Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.1415
  • TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.16
  • menuPass has sent malicious Office documents via email as part of spearphishing campaigns17 as well as executables disguised as documents. 18
  • SHUTTERSPEED has been delivered via spearphishing emails containing documents exploiting RTF vulnerability CVE-2017-0199.3
  • SLOWDRIFT was delivered using lure emails with documents leveraging the HWP exploit.3


Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.

Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.


Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.