EXPLORE
Sign In
← Back to Explore
T1566.003

Spearphishing via Service

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries ...

LinuxmacOSWindows
85
Detections
2
Sources
14
Threat Actors

BY SOURCE

84sublime1elastic

PROCEDURES (32)

Phish7 detections

Auto-extracted: 7 detections for phish

Authentication Monitoring7 detections

Auto-extracted: 7 detections for authentication monitoring

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Email6 detections

Auto-extracted: 6 detections for email

Remote5 detections

Auto-extracted: 5 detections for remote

Impersonat5 detections

Auto-extracted: 5 detections for impersonat

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Email Security4 detections

Auto-extracted: 4 detections for email security

Service4 detections

Auto-extracted: 4 detections for service

Service4 detections

Auto-extracted: 4 detections for service

Credential3 detections

Auto-extracted: 3 detections for credential

Impersonat3 detections

Auto-extracted: 3 detections for impersonat

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Attachment2 detections

Auto-extracted: 2 detections for attachment

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Phish1 detections

Auto-extracted: 1 detections for phish

Attachment1 detections

Auto-extracted: 1 detections for attachment

Attachment1 detections

Auto-extracted: 1 detections for attachment

Remote1 detections

Auto-extracted: 1 detections for remote

Bypass1 detections

Auto-extracted: 1 detections for bypass

Attachment1 detections

Auto-extracted: 1 detections for attachment

Email1 detections

Auto-extracted: 1 detections for email

Bypass1 detections

Auto-extracted: 1 detections for bypass

Phish1 detections

Auto-extracted: 1 detections for phish

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (14)

Ajax Security TeamAPT29Contagious InterviewCURIUMDark CaracalEXOTIC LILYFIN6Lazarus GroupMagic HoundMoonstone SleetOilRigStorm-1811ToddyCatWindshift

DETECTIONS (85)

Attachment: Calendar invite from recently registered domain
sublimehigh
Attachment: Callback phishing solicitation via image file
sublimehigh
Attachment: Callback phishing solicitation via pdf file
sublimehigh
Attachment: Callback phishing solicitation via text-based file
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Brand impersonation: AliExpress
sublimemedium
Brand impersonation: GitHub with callback scam indicators
sublimemedium
Brand impersonation: McAfee
sublimemedium
Brand impersonation: Quickbooks
sublimemedium
Brand impersonation: QuickBooks notification from Intuit themed company name
sublimemedium
Brand impersonation: SiriusXM
sublimemedium
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Callback phishing in body or attachment (untrusted sender)
sublimemedium
Callback phishing solicitation in message body
sublimemedium
Callback phishing via Adobe Sign comment
sublimehigh
Callback phishing via Apple ID display name abuse
sublimehigh
Callback phishing via calendar invite
sublimemedium
Callback phishing via DocuSign comment
sublimehigh
Callback phishing via e-signature service
sublimehigh
Callback phishing via extensionless rfc822 attachment
sublimehigh
Callback phishing via Google Group abuse
sublimehigh
Callback phishing via Google Meet
sublimemedium
Callback phishing via Intuit service abuse
sublimemedium
Callback phishing via Microsoft comment
sublimemedium
Callback Phishing via Signable E-Signature Request
sublimehigh
Callback phishing via SignFree e-signature request
sublimehigh
Callback phishing via Xodo Sign comment
sublimehigh
Callback phishing via Yammer comment
sublimemedium
Callback phishing via Zelle Service Abuse
sublimemedium
Callback phishing via Zoho service abuse
sublimemedium
Callback Phishing via Zoom comment
sublimemedium
Callback phishing: AOL senders with suspicious HTML template or PDF attachment
sublimehigh
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
sublimemedium
Callback phishing: Social Security Administration fraud
sublimemedium
Callback phishing: SumUp infrastructure abuse
sublimehigh
Callback scam: Impersonation via TimeTrade infrastructure
sublimemedium
Canva infrastructure abuse
sublimemedium
Display Name Emoji with Financial Symbols
sublimelow
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Generic service abuse from newly registered domain
sublimehigh
Inbound message from popular service via newly observed distribution list
sublimemedium
Link: /index.php enclosed in three asterisks
sublimemedium
Link: Direct POWR.io Form Builder with suspicious patterns
sublimemedium
Link: Invoice or receipt from freemail sender with customer service number
sublimelow
Link: Jensi file preview link from unsolicited sender
sublimemedium
Link: Webflow link from unsolicited sender
sublimemedium
Link: Zoho form link from unsolicited sender
sublimemedium
M365 Azure Monitor Alert Email with Financial or Billing Theme
elasticlow
Message traversed multiple onmicrosoft.com tenants
sublimemedium
Microsoft infrastructure abuse with suspicious patterns
sublimehigh
Mismatched links: Free file share with urgent language
sublimemedium
PayPal invoice abuse
sublimemedium
Potential prompt injection attack in body HTML
sublimehigh
Reconnaissance: Short generic greeting message
sublimemedium
Service abuse: Adobe Sign notification from an unsolicited reply-to address
sublimemedium
Service abuse: AWS SNS callback scam impersonation
sublimemedium
Service Abuse: Box file sharing with credential phishing intent
sublimemedium
Service abuse: Callback phishing via Microsoft Teams invite
sublimehigh
Service abuse: DocuSign notification with suspicious sender or document name
sublimemedium
Service abuse: Dropbox share from an unsolicited reply-to address
sublimemedium
Service abuse: Dropbox share from new domain
sublimemedium
Service abuse: Dropbox share with suspicious sender or document name
sublimemedium
Service abuse: GetAccept callback scam content
sublimemedium
Service Abuse: GoDaddy infrastructure
sublimemedium
Service abuse: Google Calendar notification with callback scam language
sublimemedium
Service abuse: Google classroom solicitation
sublimemedium
Service abuse: Google Drive share from an unsolicited reply-to address
sublimemedium
Service abuse: Google Drive share from new reply-to domain
sublimemedium
Service Abuse: HelloSign share with suspicious sender or document name
sublimemedium
Service abuse: Microsoft Power Apps callback scam
sublimemedium
Service abuse: Microsoft Power Automate callback scam impersonation
sublimemedium
Service abuse: Microsoft Power BI callback scam
sublimemedium
Service abuse: Monday.com callback scam
sublimemedium
Service abuse: Payoneer callback scam
sublimemedium
Service abuse: QuickBooks notification from new domain
sublimemedium
Service abuse: QuickBooks notification with suspicious comments
sublimemedium
Service abuse: WeTransfer callback scam
sublimemedium
Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
sublimelow
Stripe invoice abuse
sublimemedium
Suspicious Links to Cloudflare R2 and Edge Services
sublimemedium
Suspicious mailer received from Gmail servers
sublimelow
Venmo payment request abuse
sublimemedium