EXPLORE
← Back to Explore
T1534

Internal Spearphishing

After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to incr...

LinuxmacOSOffice SuiteSaaSWindows
234
Detections
2
Sources
6
Threat Actors

BY SOURCE

233sublime1elastic

PROCEDURES (57)

Email Security21 detections

Auto-extracted: 21 detections for email security

Impersonat18 detections

Auto-extracted: 18 detections for impersonat

Email16 detections

Auto-extracted: 16 detections for email

Service15 detections

Auto-extracted: 15 detections for service

Attachment13 detections

Auto-extracted: 13 detections for attachment

Suspicious12 detections

Auto-extracted: 12 detections for suspicious

Impersonat11 detections

Auto-extracted: 11 detections for impersonat

Network Connection Monitoring9 detections

Auto-extracted: 9 detections for network connection monitoring

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

Authentication Monitoring8 detections

Auto-extracted: 8 detections for authentication monitoring

Email8 detections

Auto-extracted: 8 detections for email

Credential7 detections

Auto-extracted: 7 detections for credential

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Credential5 detections

Auto-extracted: 5 detections for credential

Impersonat4 detections

Auto-extracted: 4 detections for impersonat

Bypass4 detections

Auto-extracted: 4 detections for bypass

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Attachment4 detections

Auto-extracted: 4 detections for attachment

Cloud3 detections

Auto-extracted: 3 detections for cloud

Remote3 detections

Auto-extracted: 3 detections for remote

Aws3 detections

Auto-extracted: 3 detections for aws

Office3 detections

Auto-extracted: 3 detections for office

Phish3 detections

Auto-extracted: 3 detections for phish

Credential3 detections

Auto-extracted: 3 detections for credential

Attachment2 detections

Auto-extracted: 2 detections for attachment

Attachment2 detections

Auto-extracted: 2 detections for attachment

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Evasion2 detections

Auto-extracted: 2 detections for evasion

Unusual2 detections

Auto-extracted: 2 detections for unusual

Service2 detections

Auto-extracted: 2 detections for service

Macro2 detections

Auto-extracted: 2 detections for macro

Attachment2 detections

Auto-extracted: 2 detections for attachment

Office1 detections

Auto-extracted: 1 detections for office

Phish1 detections

Auto-extracted: 1 detections for phish

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Attachment1 detections

Auto-extracted: 1 detections for attachment

Phish1 detections

Auto-extracted: 1 detections for phish

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Http1 detections

Auto-extracted: 1 detections for http

Unusual1 detections

Auto-extracted: 1 detections for unusual

Email1 detections

Auto-extracted: 1 detections for email

Http1 detections

Auto-extracted: 1 detections for http

Service1 detections

Auto-extracted: 1 detections for service

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Evasion1 detections

Auto-extracted: 1 detections for evasion

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

DETECTIONS (234)

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
sublimemedium
AnonymousFox indicators
sublimehigh
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite with Google redirect and invoice request
sublimemedium
Attachment: Canva PDF with susupicious author metadata
sublimehigh
Attachment: Credit card application with WhatsApp contact
sublimemedium
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
sublimemedium
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Fake lawyer & sports agent identities
sublimehigh
Attachment: Fictitious invoice using LinkedIn's address
sublimemedium
Attachment: ICS calendar file with suspicious UID domain
sublimemedium
Attachment: ICS file with meeting prefix
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: Invoice and W-9 PDFs with suspicious creators
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: PDF bid/proposal lure with credential theft indicators
sublimemedium
Attachment: PDF contains W9 or invoice YARA signatures
sublimemedium
Attachment: PDF file with link to fake Bitcoin exchange
sublimelow
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash associated with a fake invoice and a W-9
sublimehigh
Attachment: PDF with fake invoice using suspicious font sizing
sublimemedium
Attachment: PDF with self-service platform links with self sender or blank recipients
sublimemedium
Attachment: PDF with specific W-9 lure
sublimemedium
Attachment: PDF with suspicious internal object reference identifier
sublimemedium
Attachment: PDF with W-9 form indicators
sublimehigh
Attachment: RFP/RFQ impersonating government entities
sublimehigh
Attachment: Romance scam with image lure and advance-fee or suspicious link indicators
sublimemedium
Attachment: USDA bid invitation impersonation
sublimemedium
AWS SNS Topic Message Publish by Rare User
elastichigh
BEC with unusual reply-to or return-path mismatch
sublimehigh
BEC: Employee impersonation with subject manipulation
sublimehigh
BEC: Executive coaching vendor impersonation
sublimemedium
BEC: Financial fraud from newly registered sender domain
sublimemedium
BEC/Fraud: Fake investment outreach from suspicious TLD
sublimemedium
BEC/Fraud: Generic scam attempt to undisclosed recipients
sublimelow
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
sublimemedium
BEC/Fraud: Penpal scam
sublimemedium
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
sublimemedium
BEC/Fraud: Romance scam
sublimemedium
BEC/Fraud: Scam lure with freemail pivot
sublimelow
BEC/Fraud: Student loan callback phishing
sublimemedium
BEC/Fraud: Unsolicited business acquisition offer
sublimemedium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Benefits enrollment impersonation
sublimehigh
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Body: Invisible Unicode obfuscation student loan callback phishing
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Body: Yellow highlighted text markers
sublimelow
Brand impersonation: AARP
sublimemedium
Brand impersonation: Aquent
sublimemedium
Brand impersonation: Aramco
sublimemedium
Brand impersonation: AuthentiSign
sublimemedium
Brand impersonation: Canada Revenue Agency
sublimemedium
Brand impersonation: Enbridge
sublimemedium
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
sublimehigh
Brand impersonation: Interac
sublimemedium
Brand impersonation: Internal Revenue Service
sublimehigh
Brand impersonation: Mailgun
sublimemedium
Brand impersonation: McAfee
sublimemedium
Brand impersonation: MetaMask
sublimehigh
Brand impersonation: Microsoft logo or suspicious language with open redirect
sublimehigh
Brand Impersonation: Procore
sublimemedium
Brand impersonation: Purdue ePlanroom with suspicious links
sublimemedium
Brand impersonation: QuickBooks dispute notification
sublimehigh
Brand impersonation: QuickBooks notification from Intuit themed company name
sublimemedium
Brand impersonation: Robert Half
sublimemedium
Brand impersonation: SendGrid
sublimemedium
Brand impersonation: Social Security Administration
sublimemedium
Brand impersonation: Trust Wallet
sublimehigh
Brand impersonation: UK government Home Office
sublimehigh
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Business Email Compromise (BEC) attempt from unsolicited sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
sublimemedium
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
sublimemedium
Business Email Compromise (BEC) with request for mobile number
sublimemedium
Business Email Compromise: Request for mobile number via reply thread hijacking
sublimemedium
Callback phishing via Zelle Service Abuse
sublimemedium
Callback phishing: SumUp infrastructure abuse
sublimehigh
Canva infrastructure abuse
sublimemedium
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
sublimemedium
Credential phishing: Generic document share with unicode and proceedural greeting template
sublimelow
Credential phishing: Generic document sharing
sublimemedium
Credential phishing: Tax form impersonation with payment request
sublimemedium
Display Name Emoji with Financial Symbols
sublimelow
DocuSign impersonation via CloudHQ links
sublimemedium
Employee impersonation with urgent request (untrusted sender)
sublimemedium
Employee impersonation: Payroll fraud
sublimehigh
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
sublimehigh
Fake message thread - Untrusted sender with a mismatched freemail reply-to address
sublimemedium
Fake request for tax preparation
sublimehigh
Fake thread with suspicious indicators
sublimemedium
Fake warning banner using confusable characters
sublimemedium
File sharing link with a suspicious subject
sublimemedium
Fraudulent e-commerce operators
sublimehigh
Fraudulent order confirmation/shipping notification from Chinese sender domain
sublimemedium
Free email provider sender with mismatched provider reply-to
sublimemedium
Generic service abuse from newly registered domain
sublimehigh
Google share notification with suspicious comments
sublimehigh
Headers: Fake in-reply-to with wildcard sender and missing thread context
sublimehigh
Headers: Invalid recipient domain with mismatched reply-to from new sender
sublimemedium
Headers: iOS/iPadOS mailer with invalid build number
sublimemedium
Headers: Outlook Express mailer
sublimemedium
Headers: System account impersonation with empty sender address
sublimemedium
Headers: X-Source-Auth mismatch with mismatched reply-to domain
sublimehigh
Honorific greeting BEC attempt with sender and reply-to mismatch
sublimelow
HR impersonation via e-sign agreement comment
sublimehigh
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
HTML: Template placeholders or recipient email in element class attributes
sublimehigh
Impersonation: Australian Federal Police with criminal case language
sublimehigh
Impersonation: Employee name in subject with suspicious sender
sublimemedium
Impersonation: Employee using fabricated identity in initial contact
sublimehigh
Impersonation: Executive using numbered local part
sublimehigh
Impersonation: Fake product discount promotion
sublimemedium
Impersonation: Human Resources with link or attachment and engaging language
sublimemedium
Impersonation: Internal corporate services
sublimehigh
Impersonation: IT Department mailbox storage alert
sublimemedium
Impersonation: Legal firm with copyright infringement notice
sublimemedium
Impersonation: Suspected supplier impersonation with suspicious content
sublimehigh
Investor solicitation with organization targeting
sublimemedium
Job scam (unsolicited sender)
sublimelow
Job scam with specific salary pattern
sublimelow
Link abuse: Self-service creation platform link with suspicious recipient behavior
sublimehigh
Link: Apple App Store malicious ad manager themed apps from free email provider
sublimemedium
Link: BEC with newly registered domains and financial keywords
sublimemedium
Link: Breely link masquerading as PDF
sublimehigh
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: Display text matches subject line
sublimemedium
Link: File sharing impersonation with suspicious language and sending patterns
sublimemedium
Link: Generic financial document with proceedural timeline template
sublimemedium
Link: Google Drawings link from new sender
sublimemedium
Link: Hotel booking spoofed display URL
sublimemedium
Link: HR impersonation with suspicious domain indicators and credential theft
sublimehigh
Link: Invoice or receipt from freemail sender with customer service number
sublimelow
Link: Remittance payment request with timeline template
sublimemedium
Link: RFI document reference pattern in display text
sublimemedium
Link: Self-sent message with quarterly document review request
sublimecritical
Link: Self-sent PDF lure with subject correlation
sublimemedium
Link: SharePoint filename matches org name
sublimemedium
Link: Shortened URL with fragment matching subject
sublimemedium
Link: Tax document lure Portuguese/Spanish with suspicious domains
sublimemedium
Link: URL scheme obfuscation via split HTML anchors
sublimehigh
Link: WordPress login page with Blogspot Binance scam
sublimemedium
Lookalike sender domain (untrusted sender)
sublimehigh
Mass Outbound Group With Free File Host Domain
sublimemedium
Microsoft infrastructure abuse with suspicious patterns
sublimehigh
Mismatched links: Free file share with urgent language
sublimemedium
Newly registered sender or reply-to domain with newly registered linked domain
sublimemedium
Observed IOC: Malicious reply-to domains
sublimehigh
Observed IOC: Malicious reply-to email addresses
sublimehigh
Observed IOC: Malicious reply-to root domains
sublimehigh
Observed IOC: Malicious sender domains
sublimehigh
Observed IOC: Malicious sender email addresses
sublimehigh
Observed IOC: Malicious sender root domains
sublimehigh
Open redirect: Mailtrack Korea
sublimemedium
PayPal invoice abuse
sublimemedium
Potential prompt injection attack in body HTML
sublimehigh
Reconnaissance: Email address harvesting attempt
sublimemedium
Reconnaissance: Empty subject with mismatched reply-to from new sender
sublimemedium
Reconnaissance: Fake real estate inquiry with empty body
sublimemedium
Reconnaissance: Hotel booking reply-to redirect
sublimemedium
Reconnaissance: Short generic greeting message
sublimemedium
Recruitee Infrastructure Abuse
sublimehigh
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
sublimemedium
Russia return-path TLD (untrusted sender)
sublimelow
Scam soliciting employer review/rating
sublimelow
Scam: Fake estate sale offering welding equipment and tools
sublimehigh
Scam: Piano giveaway
sublimemedium
Sender: IP address in local part
sublimemedium
Service abuse: Adobe legitimate domain with document approval language
sublimemedium
Service abuse: Adobe Sign notification from an unsolicited reply-to address
sublimemedium
Service Abuse: Box file sharing with credential phishing intent
sublimemedium
Service abuse: Cisco secure email service with financial request
sublimehigh
Service abuse: Citrix ShareFile impersonation via Outlook plugin
sublimemedium
Service abuse: DocSend share from newly registered domain
sublimehigh
Service abuse: DocuSign notification with suspicious sender or document name
sublimemedium
Service abuse: Domains By Proxy sender
sublimemedium
Service abuse: Dropbox share from an unsolicited reply-to address
sublimemedium
Service abuse: Dropbox share from new domain
sublimemedium
Service abuse: Dropbox share with suspicious sender or document name
sublimemedium
Service Abuse: ExactTarget with suspicious sender indicators
sublimehigh
Service abuse: Formester with suspicious link behavior
sublimemedium
Service abuse: Google classroom solicitation
sublimemedium
Service abuse: Google Drive share from an unsolicited reply-to address
sublimemedium
Service abuse: Google Drive share from new reply-to domain
sublimemedium
Service Abuse: HelloSign share with suspicious sender or document name
sublimemedium
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
sublimehigh
Service abuse: Notion free-tier account impersonating VIP
sublimemedium
Service abuse: Nylas tracking subdomain with suspicious content
sublimemedium
Service abuse: Payoneer callback scam
sublimemedium
Service abuse: QuickBooks notification from new domain
sublimemedium
Service abuse: QuickBooks notification with suspicious comments
sublimemedium
Service abuse: Recruiting with suspicious language patterns from legitimate platforms
sublimemedium
Service abuse: Roomsy with unrelated body content
sublimemedium