EXPLORE
← Back to Explore
T1566

Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malic...

Identity ProviderLinuxmacOSOffice SuiteSaaSWindows
1100
Detections
6
Sources
8
Threat Actors

BY SOURCE

1011sublime52elastic16splunk_escu11sigma8kql2crowdstrike_cql

PROCEDURES (146)

Authentication Monitoring98 detections

Auto-extracted: 98 detections for authentication monitoring

Email Security60 detections

Auto-extracted: 60 detections for email security

Credential46 detections

Auto-extracted: 46 detections for credential

Impersonat43 detections

Auto-extracted: 43 detections for impersonat

Impersonat42 detections

Auto-extracted: 42 detections for impersonat

Service42 detections

Auto-extracted: 42 detections for service

General Monitoring39 detections

Auto-extracted: 39 detections for general monitoring

Attachment37 detections

Auto-extracted: 37 detections for attachment

Credential33 detections

Auto-extracted: 33 detections for credential

Email25 detections

Auto-extracted: 25 detections for email

Attachment21 detections

Auto-extracted: 21 detections for attachment

Service21 detections

Auto-extracted: 21 detections for service

Phish21 detections

Auto-extracted: 21 detections for phish

Suspicious18 detections

Auto-extracted: 18 detections for suspicious

Suspicious18 detections

Auto-extracted: 18 detections for suspicious

Suspicious18 detections

Auto-extracted: 18 detections for suspicious

Attachment16 detections

Auto-extracted: 16 detections for attachment

Phish16 detections

Auto-extracted: 16 detections for phish

Base6415 detections

Auto-extracted: 15 detections for base64

Network Connection Monitoring15 detections

Auto-extracted: 15 detections for network connection monitoring

Credential13 detections

Auto-extracted: 13 detections for credential

Script Execution Monitoring13 detections

Auto-extracted: 13 detections for script execution monitoring

Impersonat12 detections

Auto-extracted: 12 detections for impersonat

Email12 detections

Auto-extracted: 12 detections for email

Bypass11 detections

Auto-extracted: 11 detections for bypass

Service10 detections

Auto-extracted: 10 detections for service

Impersonat9 detections

Auto-extracted: 9 detections for impersonat

Phish8 detections

Auto-extracted: 8 detections for phish

Phish8 detections

Auto-extracted: 8 detections for phish

Suspicious8 detections

Auto-extracted: 8 detections for suspicious

Bypass8 detections

Auto-extracted: 8 detections for bypass

Credential8 detections

Auto-extracted: 8 detections for credential

Email7 detections

Auto-extracted: 7 detections for email

Download7 detections

Auto-extracted: 7 detections for download

Service7 detections

Auto-extracted: 7 detections for service

Office6 detections

Auto-extracted: 6 detections for office

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Obfuscat5 detections

Auto-extracted: 5 detections for obfuscat

Cloud5 detections

Auto-extracted: 5 detections for cloud

Attachment5 detections

Auto-extracted: 5 detections for attachment

Credential5 detections

Auto-extracted: 5 detections for credential

Office5 detections

Auto-extracted: 5 detections for office

Token5 detections

Auto-extracted: 5 detections for token

Api5 detections

Auto-extracted: 5 detections for api

Api5 detections

Auto-extracted: 5 detections for api

Ransomware4 detections

Auto-extracted: 4 detections for ransomware

Service4 detections

Auto-extracted: 4 detections for service

Cloud4 detections

Auto-extracted: 4 detections for cloud

Powershell4 detections

Auto-extracted: 4 detections for powershell

Unusual4 detections

Auto-extracted: 4 detections for unusual

Encrypt4 detections

Auto-extracted: 4 detections for encrypt

Download4 detections

Auto-extracted: 4 detections for download

Macro4 detections

Auto-extracted: 4 detections for macro

Base644 detections

Auto-extracted: 4 detections for base64

Service4 detections

Auto-extracted: 4 detections for service

Inject3 detections

Auto-extracted: 3 detections for inject

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Unusual3 detections

Auto-extracted: 3 detections for unusual

Impersonat3 detections

Auto-extracted: 3 detections for impersonat

Evasion3 detections

Auto-extracted: 3 detections for evasion

Aws3 detections

Auto-extracted: 3 detections for aws

Download3 detections

Auto-extracted: 3 detections for download

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Http3 detections

Auto-extracted: 3 detections for http

Api2 detections

Auto-extracted: 2 detections for api

Bypass2 detections

Auto-extracted: 2 detections for bypass

Oauth2 detections

Auto-extracted: 2 detections for oauth

Token2 detections

Auto-extracted: 2 detections for token

Service Monitoring2 detections

Auto-extracted: 2 detections for service monitoring

Cloud2 detections

Auto-extracted: 2 detections for cloud

Child Process2 detections

Auto-extracted: 2 detections for child process

Bypass2 detections

Auto-extracted: 2 detections for bypass

Azure2 detections

Auto-extracted: 2 detections for azure

Macro2 detections

Auto-extracted: 2 detections for macro

Download2 detections

Auto-extracted: 2 detections for download

Office2 detections

Auto-extracted: 2 detections for office

Http2 detections

Auto-extracted: 2 detections for http

Oauth2 detections

Auto-extracted: 2 detections for oauth

Office2 detections

Auto-extracted: 2 detections for office

Unusual2 detections

Auto-extracted: 2 detections for unusual

Macro2 detections

Auto-extracted: 2 detections for macro

Cloud2 detections

Auto-extracted: 2 detections for cloud

Credential2 detections

Auto-extracted: 2 detections for credential

Evasion2 detections

Auto-extracted: 2 detections for evasion

Evasion2 detections

Auto-extracted: 2 detections for evasion

Evasion2 detections

Auto-extracted: 2 detections for evasion

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Remote2 detections

Auto-extracted: 2 detections for remote

Azure1 detections

Auto-extracted: 1 detections for azure

Persist1 detections

Auto-extracted: 1 detections for persist

Token1 detections

Auto-extracted: 1 detections for token

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Attachment1 detections

Auto-extracted: 1 detections for attachment

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Api1 detections

Auto-extracted: 1 detections for api

Inject1 detections

Auto-extracted: 1 detections for inject

Child Process1 detections

Auto-extracted: 1 detections for child process

Http1 detections

Auto-extracted: 1 detections for http

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Unusual1 detections

Auto-extracted: 1 detections for unusual

Base641 detections

Auto-extracted: 1 detections for base64

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Office1 detections

Auto-extracted: 1 detections for office

Unusual1 detections

Auto-extracted: 1 detections for unusual

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud1 detections

Auto-extracted: 1 detections for cloud

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Oauth1 detections

Auto-extracted: 1 detections for oauth

Credential1 detections

Auto-extracted: 1 detections for credential

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Download1 detections

Auto-extracted: 1 detections for download

Http1 detections

Auto-extracted: 1 detections for http

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Oauth1 detections

Auto-extracted: 1 detections for oauth

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Aws1 detections

Auto-extracted: 1 detections for aws

Email1 detections

Auto-extracted: 1 detections for email

Oauth1 detections

Auto-extracted: 1 detections for oauth

Unusual1 detections

Auto-extracted: 1 detections for unusual

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Child Process1 detections

Auto-extracted: 1 detections for child process

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Aws1 detections

Auto-extracted: 1 detections for aws

Attachment1 detections

Auto-extracted: 1 detections for attachment

Oauth1 detections

Auto-extracted: 1 detections for oauth

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Base641 detections

Auto-extracted: 1 detections for base64

DETECTIONS (1100)

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
sublimehigh
Abuse: Robinhood injected content
sublimemedium
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
sublimemedium
AnonymousFox indicators
sublimehigh
AsyncRAT Initial Access Campaign via OneNote files
kql
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: Adobe image lure in body or attachment with suspicious link
sublimemedium
Attachment: Adobe Sign lure PDF with embedded banner images
sublimemedium
Attachment: Any HTML file within archive (unsolicited)
sublimemedium
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite from recently registered domain
sublimehigh
Attachment: Calendar invite with Google redirect and invoice request
sublimemedium
Attachment: Calendar invite with suspicious link leading to an open redirect
sublimehigh
Attachment: Callback phishing solicitation via image file
sublimehigh
Attachment: Callback phishing solicitation via pdf file
sublimehigh
Attachment: Callback phishing solicitation via text-based file
sublimemedium
Attachment: Canva PDF with susupicious author metadata
sublimehigh
Attachment: Cold outreach with invitation subject and not attachment
sublimehigh
Attachment: Compensation review lure with QR code
sublimehigh
Attachment: Compensation-themed DOCX with QR code credential theft
sublimehigh
Attachment: Credit card application with WhatsApp contact
sublimemedium
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Decoy PDF author (Julie P.)
sublimehigh
Attachment: DocuSign impersonation via PDF linking to new domain
sublimemedium
Attachment: DOCX with hyperlink targeting recipient address
sublimemedium
Attachment: DOCX with malicious document template artifacts
sublimemedium
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Dropbox image lure with no Dropbox domains in links
sublimemedium
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML file contains HTML attachment with login portal indicators
sublimehigh
Attachment: EML file with HTML attachment (unsolicited)
sublimemedium
Attachment: EML file with IPFS links
sublimemedium
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: EML with link to credential phishing page
sublimehigh
Attachment: EML with QR code redirecting to Cloudflare challenges
sublimelow
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
sublimelow
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: EML with suspicious indicators
sublimemedium
Attachment: Employment contract update with suspicious file naming
sublimehigh
Attachment: Encrypted PDF With Credential Harvesting Indicators
sublimemedium
Attachment: Encrypted PDF with credential theft body
sublimemedium
Attachment: Encrypted PDF with credential theft language in EML
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Excel file with document sharing lure created by Go Excelize
sublimehigh
Attachment: Excel file with suspicious template identifier
sublimehigh
Attachment: Excel Web Query File (IQY)
sublimehigh
Attachment: Fake attachment image lure
sublimemedium
Attachment: Fake lawyer & sports agent identities
sublimehigh
Attachment: Fake PDF Invoices Yara
sublimemedium
Attachment: Fake scan-to-email
sublimemedium
Attachment: Fake secure message and suspicious indicators
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake voicemail via PDF
sublimemedium
Attachment: Fake Zoom installer
sublimehigh
Attachment: Fictitious invoice using LinkedIn's address
sublimemedium
Attachment: Finance themed PDF with observed phishing template
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML attachment with login portal indicators
sublimemedium
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with excessive padding and suspicious patterns
sublimehigh
Attachment: HTML file with reference to recipient and suspicious patterns
sublimehigh
Attachment: HTML smuggling - QR Code with suspicious links
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling Microsoft sign in
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded ISO
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with hex strings
sublimemedium
Attachment: HTML smuggling with raw array buffer
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
sublimehigh
Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
sublimehigh
Attachment: ICS calendar file with QR code containing recipient email address
sublimehigh
Attachment: ICS calendar file with recipient address in UID field
sublimehigh
Attachment: ICS calendar file with suspicious product identifier
sublimemedium
Attachment: ICS calendar file with suspicious UID domain
sublimemedium
Attachment: ICS calendar with embedded file from internal sender with SPF failure
sublimehigh
Attachment: ICS file with AWS Lambda URL
sublimemedium
Attachment: ICS file with links to newly registered domains
sublimemedium
Attachment: ICS file with meeting prefix
sublimehigh
Attachment: ICS file with non-Gregorian calendar scale
sublimemedium
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: Invoice and W-9 PDFs with suspicious creators
sublimehigh
Attachment: JPEG with gd-jpeg creator and suspicious file name
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link file with UNC path
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Malformed OLE file
sublimehigh
Attachment: Microsoft 365 credential phishing
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
sublimehigh
Attachment: Office file contains OLE relationship to credential phishing page
sublimehigh
Attachment: Office file with credential phishing URLs
sublimemedium
Attachment: Office file with document sharing and browser instruction lures
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF Attachment with links to workers.dev
sublimemedium
Attachment: PDF bid/proposal lure with credential theft indicators
sublimemedium
Attachment: PDF contains W9 or invoice YARA signatures
sublimemedium
Attachment: PDF file with link to fake Bitcoin exchange
sublimelow
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash associated with fake Canada Revenue Agency documents
sublimemedium
Attachment: PDF proposal with credential theft indicators
sublimehigh
Attachment: PDF with a suspicious string and single URL
sublimehigh
Attachment: PDF with blurry lure image
sublimemedium
Attachment: PDF with credential theft language and invalid reply-to domain
sublimemedium
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
sublimemedium
Attachment: PDF with eCheckRun lures
sublimemedium
Attachment: PDF with fake invoice using suspicious font sizing
sublimemedium
Attachment: PDF with localhost IP in EXIF title metadata
sublimemedium
Attachment: PDF with Microsoft Purview message impersonation
sublimemedium
Attachment: PDF with multistage landing - ClickUp abuse
sublimehigh
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with personal Microsoft OneNote URL
sublimemedium
Attachment: PDF with QR code containing recipient-specific credential theft content
sublimehigh
Attachment: PDF with quote lure
sublimemedium
Attachment: PDF with recipient email in link
sublimehigh
Attachment: PDF with ReportLab library and default metadata
sublimelow
Attachment: PDF With SAI Global ISO9001 Logo
sublimehigh
Attachment: PDF with self-service platform links with self sender or blank recipients
sublimemedium
Attachment: PDF with specific author metadata
sublimehigh
Attachment: PDF with specific W-9 lure
sublimemedium
Attachment: PDF with split QR code
sublimemedium
Attachment: PDF with suspicious document view lure
sublimemedium
Attachment: PDF with suspicious HeadlessChrome metadata
sublimemedium
Attachment: PDF with suspicious language and redirect to suspicious file type
sublimehigh
Attachment: PDF with suspicious link and action-oriented language
sublimehigh
Attachment: PDF with suspicious view document characteristics
sublimemedium
Attachment: PDF with W-9 form indicators
sublimehigh
Attachment: QR code link with base64-encoded recipient address
sublimehigh
Attachment: QR code with credential phishing indicators
sublimemedium
Attachment: QR code with encoded recipient targeting and redirect indicators
sublimehigh
Attachment: QR code with recipient targeting and special characters
sublimehigh
Attachment: QR code with suspicious URL patterns in EML file
sublimehigh
Attachment: QR code with userinfo portion
sublimehigh
Attachment: RDP connection file
sublimemedium
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
sublimemedium
Attachment: RFP/RFQ impersonating government entities
sublimehigh
Attachment: Romance scam with image lure and advance-fee or suspicious link indicators
sublimemedium
Attachment: RTF file with suspicious link
sublimemedium
Attachment: Self-sender PDF with minimal content and view prompt
sublimehigh
Attachment: Small text file with link containing recipient email address
sublimemedium
Attachment: Soda PDF producer with encryption themes
sublimehigh
Attachment: Suspicious employee policy update document lure
sublimemedium
Attachment: Suspicious PDF created with headless browser
sublimehigh
Attachment: SVG file with HTML entity encoded href attributes
sublimemedium
Attachment: SVG file with hyperlinks and cursor styling
sublimemedium
Attachment: SVG files with evasion elements
sublimehigh
Attachment: Uncommon compressed file
sublimelow
Attachment: USDA bid invitation impersonation
sublimemedium
Attachment: Web files with suspicious comments
sublimehigh
Attachment: XLSX file with suspicious print titles metadata
sublimehigh
BEC with unusual reply-to or return-path mismatch
sublimehigh
BEC: Employee impersonation with subject manipulation
sublimehigh
BEC: Executive coaching vendor impersonation
sublimemedium
BEC: Financial fraud from newly registered sender domain
sublimemedium
BEC/Fraud: Fake investment outreach from suspicious TLD
sublimemedium
BEC/Fraud: Generic scam attempt to undisclosed recipients
sublimelow
BEC/Fraud: Penpal scam
sublimemedium
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
sublimemedium
BEC/Fraud: Romance scam
sublimemedium
BEC/Fraud: Student loan callback phishing
sublimemedium
BEC/Fraud: Unsolicited business acquisition offer
sublimemedium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Benefits enrollment impersonation
sublimehigh
Body HTML: Comment with 24-character hex token
sublimelow
Body HTML: Recipient SLD in HTML class
sublimemedium
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Body: Fake secure email portal with HTML obfuscation
sublimehigh
Body: HTML whitespace stuffing with short initial message
sublimemedium
Body: Invisible Unicode obfuscation student loan callback phishing
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Body: Suspicious date format
sublimemedium
Body: Suspicious table template fingerprint
sublimemedium
Body: Yellow highlighted text markers
sublimelow
Brand impersonation: AARP
sublimemedium
Brand impersonation: Adobe (QR code)
sublimehigh