← Back to Explore
T1534
Internal Spearphishing
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to incr...
WindowsmacOSLinuxSaaSOffice Suite
181
Detections
2
Sources
4
Threat Actors
BY SOURCE
180sublime1elastic
PROCEDURES (48)
Service16 detections
Auto-extracted: 16 detections for service
Email Security16 detections
Auto-extracted: 16 detections for email security
Email12 detections
Auto-extracted: 12 detections for email
Impersonat12 detections
Auto-extracted: 12 detections for impersonat
Suspicious10 detections
Auto-extracted: 10 detections for suspicious
Network Connection Monitoring9 detections
Auto-extracted: 9 detections for network connection monitoring
Impersonat9 detections
Auto-extracted: 9 detections for impersonat
Email8 detections
Auto-extracted: 8 detections for email
Authentication Monitoring7 detections
Auto-extracted: 7 detections for authentication monitoring
Suspicious7 detections
Auto-extracted: 7 detections for suspicious
Attachment6 detections
Auto-extracted: 6 detections for attachment
Credential5 detections
Auto-extracted: 5 detections for credential
Credential5 detections
Auto-extracted: 5 detections for credential
Suspicious4 detections
Auto-extracted: 4 detections for suspicious
General Monitoring4 detections
Auto-extracted: 4 detections for general monitoring
Impersonat4 detections
Auto-extracted: 4 detections for impersonat
Aws3 detections
Auto-extracted: 3 detections for aws
Remote3 detections
Auto-extracted: 3 detections for remote
Phish3 detections
Auto-extracted: 3 detections for phish
Bypass3 detections
Auto-extracted: 3 detections for bypass
Http2 detections
Auto-extracted: 2 detections for http
Macro2 detections
Auto-extracted: 2 detections for macro
Attachment2 detections
Auto-extracted: 2 detections for attachment
Service2 detections
Auto-extracted: 2 detections for service
Office2 detections
Auto-extracted: 2 detections for office
Credential2 detections
Auto-extracted: 2 detections for credential
Cloud2 detections
Auto-extracted: 2 detections for cloud
Suspicious1 detections
Auto-extracted: 1 detections for suspicious
Phish1 detections
Auto-extracted: 1 detections for phish
Service1 detections
Auto-extracted: 1 detections for service
Script Execution Monitoring1 detections
Auto-extracted: 1 detections for script execution monitoring
Cloud1 detections
Auto-extracted: 1 detections for cloud
Encrypt1 detections
Auto-extracted: 1 detections for encrypt
Credential1 detections
Auto-extracted: 1 detections for credential
Remote1 detections
Auto-extracted: 1 detections for remote
Attachment1 detections
Auto-extracted: 1 detections for attachment
Service1 detections
Auto-extracted: 1 detections for service
Phish1 detections
Auto-extracted: 1 detections for phish
Unusual1 detections
Auto-extracted: 1 detections for unusual
Unusual1 detections
Auto-extracted: 1 detections for unusual
Http1 detections
Auto-extracted: 1 detections for http
Attachment1 detections
Auto-extracted: 1 detections for attachment
Bypass1 detections
Auto-extracted: 1 detections for bypass
Encrypt1 detections
Auto-extracted: 1 detections for encrypt
Office1 detections
Auto-extracted: 1 detections for office
Bypass1 detections
Auto-extracted: 1 detections for bypass
Unusual1 detections
Auto-extracted: 1 detections for unusual
Attachment1 detections
Auto-extracted: 1 detections for attachment
THREAT ACTORS (4)
DETECTIONS (181)
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
sublimemedium
AnonymousFox indicators
sublimehigh
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite with Google redirect and invoice request
sublimemedium
Attachment: Credit card application with WhatsApp contact
sublimemedium
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Fake lawyer & sports agent identities
sublimehigh
Attachment: Fictitious invoice using LinkedIn's address
sublimemedium
Attachment: ICS file with meeting prefix
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: Invoice and W-9 PDFs with suspicious creators
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: PDF bid/proposal lure with credential theft indicators
sublimemedium
Attachment: PDF contains W9 or invoice YARA signatures
sublimemedium
Attachment: PDF file with link to fake Bitcoin exchange
sublimelow
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: RFP/RFQ impersonating government entities
sublimehigh
Attachment: USDA bid invitation impersonation
sublimemedium
AWS SNS Topic Message Publish by Rare User
elasticmedium
BEC with unusual reply-to or return-path mismatch
sublimehigh
BEC: Employee impersonation with subject manipulation
sublimehigh
BEC/Fraud: Generic scam attempt to undisclosed recipients
sublimelow
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
sublimemedium
BEC/Fraud: Penpal scam
sublimemedium
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
sublimemedium
BEC/Fraud: Romance scam
sublimemedium
BEC/Fraud: Scam lure with freemail pivot
sublimelow
BEC/Fraud: Student loan callback phishing
sublimemedium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Benefits enrollment impersonation
sublimehigh
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Brand impersonation: AARP
sublimemedium
Brand impersonation: Aquent
sublimemedium
Brand impersonation: Aramco
sublimemedium
Brand impersonation: AuthentiSign
sublimemedium
Brand impersonation: Enbridge
sublimemedium
Brand impersonation: Interac
sublimemedium
Brand impersonation: Internal Revenue Service
sublimehigh
Brand impersonation: Mailgun
sublimemedium
Brand impersonation: McAfee
sublimemedium
Brand impersonation: MetaMask
sublimehigh
Brand impersonation: Microsoft logo or suspicious language with open redirect
sublimehigh
Brand Impersonation: Procore
sublimemedium
Brand impersonation: Purdue ePlanroom with suspicious links
sublimemedium
Brand impersonation: QuickBooks notification from Intuit themed company name
sublimemedium
Brand impersonation: Robert Half
sublimemedium
Brand impersonation: SendGrid
sublimemedium
Brand impersonation: Trust Wallet
sublimehigh
Brand impersonation: UK government Home Office
sublimehigh
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Business Email Compromise (BEC) attempt from unsolicited sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender
sublimemedium
Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
sublimemedium
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
sublimemedium
Business Email Compromise (BEC) with request for mobile number
sublimemedium
Business Email Compromise: Request for mobile number via reply thread hijacking
sublimemedium
Callback phishing via Zelle Service Abuse
sublimemedium
Callback phishing: SumUp infrastructure abuse
sublimehigh
Canva infrastructure abuse
sublimemedium
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
sublimemedium
Credential phishing: Generic document share template
sublimelow
Credential phishing: Generic document sharing
sublimemedium
Credential phishing: Tax form impersonation with payment request
sublimemedium
Display Name Emoji with Financial Symbols
sublimelow
DocuSign impersonation via CloudHQ links
sublimemedium
Employee impersonation with urgent request (untrusted sender)
sublimemedium
Employee impersonation: Payroll fraud
sublimehigh
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
sublimehigh
Fake message thread - Untrusted sender with a mismatched freemail reply-to address
sublimemedium
Fake request for tax preparation
sublimehigh
Fake thread with suspicious indicators
sublimemedium
Fake warning banner using confusable characters
sublimemedium
File sharing link with a suspicious subject
sublimemedium
Fraudulent e-commerce operators
sublimehigh
Fraudulent order confirmation/shipping notification from Chinese sender domain
sublimemedium
Free email provider sender with mismatched provider reply-to
sublimemedium
Generic service abuse from newly registered domain
sublimehigh
Google share notification with suspicious comments
sublimehigh
Headers: Fake in-reply-to with wildcard sender and missing thread context
sublimehigh
Headers: Invalid recipient domain with mismatched reply-to from new sender
sublimemedium
Headers: iOS/iPadOS mailer with invalid build number
sublimemedium
Headers: Outlook Express mailer
sublimemedium
Headers: System account impersonation with empty sender address
sublimemedium
Honorific greeting BEC attempt with sender and reply-to mismatch
sublimelow
HR impersonation via e-sign agreement comment
sublimehigh
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
Impersonation: Executive using numbered local part
sublimehigh
Impersonation: Human Resources with link or attachment and engaging language
sublimemedium
Impersonation: Internal corporate services
sublimehigh
Impersonation: Legal firm with copyright infringement notice
sublimemedium
Impersonation: Social Security Administration (SSA)
sublimemedium
Impersonation: Suspected supplier impersonation with suspicious content
sublimehigh
Job scam (unsolicited sender)
sublimelow
Job scam with specific salary pattern
sublimelow
Link abuse: Self-service creation platform link with suspicious recipient behavior
sublimehigh
Link: Apple App Store malicious ad manager themed apps from free email provider
sublimemedium
Link: Breely link masquerading as PDF
sublimehigh
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: Display text matches subject line
sublimemedium
Link: File sharing impersonation with suspicious language and sending patterns
sublimemedium
Link: Google Drawings link from new sender
sublimemedium
Link: Hotel booking spoofed display URL
sublimemedium
Link: HR impersonation with suspicious domain indicators and credential theft
sublimehigh
Link: Invoice or receipt from freemail sender with customer service number
sublimelow
Link: RFI document reference pattern in display text
sublimemedium
Link: Self-sent message with quarterly document review request
sublimecritical
Link: SharePoint filename matches org name
sublimemedium
Link: Shortened URL with fragment matching subject
sublimemedium
Link: URL scheme obfuscation via split HTML anchors
sublimehigh
Link: WordPress login page with Blogspot Binance scam
sublimemedium
Lookalike sender domain (untrusted sender)
sublimehigh
Mass Outbound Group With Free File Host Domain
sublimemedium
Microsoft infrastructure abuse with suspicious patterns
sublimehigh
Mismatched links: Free file share with urgent language
sublimemedium
Newly registered sender or reply-to domain with newly registered linked domain
sublimemedium
PayPal invoice abuse
sublimemedium
Potential prompt injection attack in body HTML
sublimehigh
Reconnaissance: Email address harvesting attempt
sublimemedium
Reconnaissance: Empty subject with mismatched reply-to from new sender
sublimemedium
Reconnaissance: Hotel booking reply-to redirect
sublimemedium
Reconnaissance: Short generic greeting message
sublimemedium
Recruitee Infrastructure Abuse
sublimehigh
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
sublimemedium
Russia return-path TLD (untrusted sender)
sublimelow
Scam: Piano giveaway
sublimemedium
Sender: IP address in local part
sublimemedium
Service abuse: Adobe legitimate domain with document approval language
sublimemedium
Service abuse: Adobe Sign notification from an unsolicited reply-to address
sublimemedium
Service Abuse: Box file sharing with credential phishing intent
sublimemedium
Service abuse: Cisco secure email service with financial request
sublimehigh
Service abuse: DocSend share from newly registered domain
sublimehigh
Service abuse: DocuSign notification with suspicious sender or document name
sublimemedium
Service abuse: Domains By Proxy sender
sublimemedium
Service abuse: Dropbox share from an unsolicited reply-to address
sublimemedium
Service abuse: Dropbox share from new domain
sublimemedium
Service abuse: Dropbox share with suspicious sender or document name
sublimemedium
Service Abuse: ExactTarget with suspicious sender indicators
sublimehigh
Service abuse: Formester with suspicious link behavior
sublimemedium
Service abuse: Google classroom solicitation
sublimemedium
Service abuse: Google Drive share from an unsolicited reply-to address
sublimemedium
Service abuse: Google Drive share from new reply-to domain
sublimemedium
Service Abuse: HelloSign share with suspicious sender or document name
sublimemedium
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
sublimehigh
Service abuse: Nylas tracking subdomain with suspicious content
sublimemedium
Service abuse: Payoneer callback scam
sublimemedium
Service abuse: QuickBooks notification from new domain
sublimemedium
Service abuse: QuickBooks notification with suspicious comments
sublimemedium
Service abuse: Recruiting with suspicious language patterns from legitimate platforms
sublimemedium
Service abuse: Roomsy with unrelated body content
sublimemedium
Service abuse: SendThisFile with credential theft and financial language
sublimemedium
Service abuse: Trello board invitation with VIP impersonation
sublimemedium
Sharepoint link likely unrelated to sender
sublimemedium
Spam/fraud: Predatory journal/research paper request
sublimemedium
Stripe invoice abuse
sublimemedium
Suspected lookalike domain with suspicious language
sublimemedium
Suspicious attachment with unscannable Cloudflare link
sublimemedium
Suspicious display name: Gmail sender with engaging language
sublimelow
Suspicious DocuSign share from new domain
sublimehigh
Suspicious Links to Cloudflare R2 and Edge Services
sublimemedium
Suspicious newly registered reply-to domain with engaging financial or urgent language
sublimemedium
Suspicious request for financial information
sublimehigh
Tax Form: W-8BEN solicitation
sublimemedium
Vendor impersonation: Thread hijacking with typosquat domain
sublimehigh
Venmo payment request abuse
sublimemedium
VIP / Executive impersonation (strict match, untrusted)
sublimehigh
VIP / Executive impersonation in subject (untrusted)
sublimemedium
VIP Impersonation via Google Group relay with suspicious indicators
sublimehigh
VIP impersonation with BEC language (near match, untrusted sender)
sublimemedium
VIP impersonation with charitable donation fraud
sublimehigh
VIP impersonation with invoicing request
sublimehigh
VIP impersonation with urgent request (strict match, untrusted sender)
sublimehigh
VIP impersonation with w2 request with reply-to mismatch
sublimehigh
VIP impersonation: Fake thread with display name match, email mismatch
sublimemedium
VIP local_part impersonation from unsolicited sender
sublimehigh
Xero invoice abuse
sublimemedium