EXPLORE
Sign In
← Back to Explore
T1598.003

Spearphishing Link

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Comp...

PRE
271
Detections
1
Sources
15
Threat Actors

BY SOURCE

271sublime

PROCEDURES (56)

Impersonat36 detections

Auto-extracted: 36 detections for impersonat

Impersonat30 detections

Auto-extracted: 30 detections for impersonat

Attachment12 detections

Auto-extracted: 12 detections for attachment

Authentication Monitoring11 detections

Auto-extracted: 11 detections for authentication monitoring

Credential11 detections

Auto-extracted: 11 detections for credential

Impersonat10 detections

Auto-extracted: 10 detections for impersonat

Email10 detections

Auto-extracted: 10 detections for email

Email10 detections

Auto-extracted: 10 detections for email

Suspicious9 detections

Auto-extracted: 9 detections for suspicious

Email Security9 detections

Auto-extracted: 9 detections for email security

Phish9 detections

Auto-extracted: 9 detections for phish

Service8 detections

Auto-extracted: 8 detections for service

Service8 detections

Auto-extracted: 8 detections for service

Credential7 detections

Auto-extracted: 7 detections for credential

Network Connection Monitoring6 detections

Auto-extracted: 6 detections for network connection monitoring

Attachment6 detections

Auto-extracted: 6 detections for attachment

Impersonat6 detections

Auto-extracted: 6 detections for impersonat

Phish4 detections

Auto-extracted: 4 detections for phish

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Email4 detections

Auto-extracted: 4 detections for email

Download3 detections

Auto-extracted: 3 detections for download

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Cloud3 detections

Auto-extracted: 3 detections for cloud

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Download3 detections

Auto-extracted: 3 detections for download

Service3 detections

Auto-extracted: 3 detections for service

Attachment3 detections

Auto-extracted: 3 detections for attachment

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Office2 detections

Auto-extracted: 2 detections for office

Phish2 detections

Auto-extracted: 2 detections for phish

Office2 detections

Auto-extracted: 2 detections for office

Credential2 detections

Auto-extracted: 2 detections for credential

Api2 detections

Auto-extracted: 2 detections for api

Cloud2 detections

Auto-extracted: 2 detections for cloud

Phish2 detections

Auto-extracted: 2 detections for phish

Evasion2 detections

Auto-extracted: 2 detections for evasion

Attachment1 detections

Auto-extracted: 1 detections for attachment

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Bypass1 detections

Auto-extracted: 1 detections for bypass

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Attachment1 detections

Auto-extracted: 1 detections for attachment

Attachment1 detections

Auto-extracted: 1 detections for attachment

Cloud1 detections

Auto-extracted: 1 detections for cloud

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Email1 detections

Auto-extracted: 1 detections for email

Remote1 detections

Auto-extracted: 1 detections for remote

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Download1 detections

Auto-extracted: 1 detections for download

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Token1 detections

Auto-extracted: 1 detections for token

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

THREAT ACTORS (15)

APT28APT32CURIUMDragonflyKimsukyMagic HoundMoonstone SleetMustang PandaPatchworkSandworm TeamScattered SpiderSidewinderSilent LibrarianStar BlizzardZIRCONIUM

DETECTIONS (271)

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
sublimehigh
Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
Attachment: Adobe image lure in body or attachment with suspicious link
sublimemedium
Attachment: Decoy PDF author (Julie P.)
sublimehigh
Attachment: DocuSign impersonation via PDF linking to new domain
sublimemedium
Attachment: Dropbox image lure with no Dropbox domains in links
sublimemedium
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
sublimelow
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: Fake secure message and suspicious indicators
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: HTML smuggling Microsoft sign in
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: Invoice and W-9 PDFs with suspicious creators
sublimehigh
Attachment: Microsoft 365 credential phishing
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: PDF file with link to fake Bitcoin exchange
sublimelow
Attachment: PDF with Microsoft Purview message impersonation
sublimemedium
Attachment: RFP/RFQ impersonating government entities
sublimehigh
Attachment: USDA bid invitation impersonation
sublimemedium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
sublimemedium
Body: PayApp transaction reference pattern
sublimemedium
Brand impersonation: AARP
sublimemedium
Brand impersonation: Adobe (QR code)
sublimehigh
Brand impersonation: Adobe Sign with suspicious indicators
sublimehigh
Brand impersonation: Adobe with suspicious language and link
sublimehigh
Brand impersonation: ADP
sublimemedium
Brand impersonation: AliExpress
sublimemedium
Brand impersonation: Amazon
sublimelow
Brand impersonation: Amazon Web Services (AWS)
sublimemedium
Brand impersonation: Amazon with suspicious attachment
sublimemedium
Brand impersonation: American Express (AMEX)
sublimelow
Brand impersonation: Apple
sublimehigh
Brand impersonation: Aquent
sublimemedium
Brand impersonation: Aramco
sublimemedium
Brand impersonation: AuthentiSign
sublimemedium
Brand impersonation: Bank of America
sublimehigh
Brand impersonation: Barracuda Networks
sublimemedium
Brand impersonation: Binance
sublimemedium
Brand impersonation: Blockchain[.]com
sublimemedium
Brand impersonation: Booking.com
sublimemedium
Brand impersonation: Box file sharing service
sublimemedium
Brand impersonation: Capital One
sublimehigh
Brand impersonation: Charles Schwab
sublimemedium
Brand impersonation: Chase Bank
sublimehigh
Brand impersonation: Chase bank with credential phishing indicators
sublimemedium
Brand impersonation: Coinbase
sublimehigh
Brand impersonation: Coinbase with suspicious links
sublimemedium
Brand impersonation: Dashlane
sublimemedium
Brand impersonation: DHL
sublimelow
Brand impersonation: DigitalOcean
sublimehigh
Brand impersonation: Discord notification
sublimemedium
Brand Impersonation: Disney
sublimemedium
Brand impersonation: DocSend
sublimehigh
Brand impersonation: DocuSign
sublimehigh
Brand impersonation: DocuSign (QR code)
sublimehigh
Brand impersonation: DocuSign branded attachment lure with no DocuSign links
sublimehigh
Brand impersonation: DocuSign PDF attachment with suspicious link
sublimehigh
Brand impersonation: DocuSign with embedded QR code
sublimehigh
Brand impersonation: DoorDash
sublimemedium
Brand impersonation: Dotloop
sublimemedium
Brand impersonation: Dropbox
sublimemedium
Brand impersonation: Enbridge
sublimemedium
Brand impersonation: Evite
sublimemedium
Brand impersonation: Exodus
sublimelow
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
sublimemedium
Brand impersonation: Fake Fax
sublimemedium
Brand impersonation: Fastway
sublimemedium
Brand impersonation: FedEx
sublimelow
Brand impersonation: File sharing notification with template artifacts
sublimelow
Brand impersonation: FINRA
sublimemedium
Brand Impersonation: Gemini Trust Company
sublimemedium
Brand impersonation: Github
sublimehigh
Brand impersonation: GitHub with callback scam indicators
sublimemedium
Brand impersonation: GoDaddy
sublimemedium
Brand Impersonation: Google (QR Code)
sublimehigh
Brand impersonation: Google Careers
sublimehigh
Brand impersonation: Google Drive fake file share
sublimemedium
Brand impersonation: Google fake sign-in warning
sublimehigh
Brand impersonation: Google Meet with malicious link
sublimemedium
Brand impersonation: Google using Microsoft Forms
sublimehigh
Brand impersonation: Google Workspace alert notification
sublimemedium
Brand impersonation: Greenvelope
sublimemedium
Brand impersonation: Gusto
sublimemedium
Brand impersonation: Hulu
sublimemedium
Brand impersonation: Interac
sublimemedium
Brand impersonation: Internal Revenue Service
sublimehigh
Brand impersonation: KnowBe4
sublimemedium
Brand impersonation: LastPass
sublimehigh
Brand impersonation: Ledger
sublimelow
Brand impersonation: LinkedIn
sublimemedium
Brand impersonation: Mailchimp
sublimemedium
Brand impersonation: Mailgun
sublimemedium
Brand impersonation: Marriott with gift language
sublimemedium
Brand impersonation: McAfee
sublimemedium
Brand impersonation: Meta and subsidiaries
sublimemedium
Brand impersonation: MetaMask
sublimehigh
Brand impersonation: Microsoft
sublimehigh
Brand impersonation: Microsoft (QR code)
sublimehigh
Brand impersonation: Microsoft fake sign-in alert
sublimemedium
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
sublimehigh
Brand impersonation: Microsoft logo or suspicious language with open redirect
sublimehigh
Brand impersonation: Microsoft Planner with suspicious link
sublimemedium
Brand impersonation: Microsoft quarantine release notification in body
sublimehigh
Brand impersonation: Microsoft quarantine release notification in image attachment
sublimehigh
Brand impersonation: Microsoft Teams
sublimehigh
Brand impersonation: Microsoft Teams invitation
sublimehigh
Brand impersonation: Microsoft with embedded logo and credential theft language
sublimehigh
Brand impersonation: Microsoft with low reputation links
sublimemedium
Brand impersonation: Navan
sublimemedium
Brand impersonation: Netflix
sublimelow
Brand impersonation: Norton
sublimelow
Brand impersonation: Office 365 mail service
sublimemedium
Brand impersonation: Okta
sublimemedium
Brand impersonation: Outlook
sublimehigh
Brand impersonation: Paperless Post
sublimehigh
Brand Impersonation: PayPal
sublimemedium
Brand impersonation: PNC
sublimemedium
Brand Impersonation: Procore
sublimemedium
Brand impersonation: Proofpoint secure messaging without legitimate indicators
sublimehigh
Brand impersonation: Punchbowl
sublimemedium
Brand impersonation: Purdue ePlanroom with suspicious links
sublimemedium
Brand impersonation: Quickbooks
sublimemedium
Brand impersonation: Ripple
sublimelow
Brand impersonation: Robert Half
sublimemedium
Brand impersonation: Robinhood
sublimemedium
Brand impersonation: SendGrid
sublimemedium
Brand Impersonation: ShareFile
sublimemedium
Brand impersonation: Sharepoint
sublimehigh
Brand impersonation: Sharepoint fake file share
sublimemedium
Brand impersonation: SharePoint PDF attachment with credential theft language
sublimemedium
Brand Impersonation: Shein
sublimemedium
Brand impersonation: Silicon Valley Bank
sublimemedium
Brand impersonation: SiriusXM
sublimemedium
Brand impersonation: Spotify
sublimelow
Brand impersonation: Square
sublimemedium
Brand impersonation: Squarespace
sublimemedium
Brand impersonation: State Farm
sublimemedium
Brand impersonation: Stellar Development Foundation (SDF)
sublimelow
Brand Impersonation: Stripe
sublimehigh
Brand impersonation: Stripe notification
sublimemedium
Brand impersonation: Sublime Security
sublimehigh
Brand impersonation: Survey request with credential theft indicators
sublimemedium
Brand impersonation: TikTok
sublimemedium
Brand impersonation: Toronto-Dominion Bank
sublimemedium
Brand impersonation: Trust Wallet
sublimehigh
Brand impersonation: TurboTax
sublimelow
Brand impersonation: Twitter
sublimemedium
Brand impersonation: UK government Home Office
sublimehigh
Brand impersonation: ukr[.]net
sublimemedium
Brand impersonation: United Healthcare
sublimemedium
Brand impersonation: UPS
sublimelow
Brand impersonation: USPS
sublimehigh
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: Vanta
sublimelow
Brand impersonation: Venmo
sublimemedium
Brand impersonation: Wells Fargo
sublimehigh
Brand impersonation: WeTransfer
sublimehigh
Brand impersonation: Wise
sublimehigh
Brand impersonation: Wix
sublimemedium
Brand impersonation: Xodo Sign
sublimemedium
Brand impersonation: Zoom
sublimemedium
Brand impersonation: Zoom (strict)
sublimemedium
Brand impersonation: Zoom via HTML styling
sublimemedium
Brand impersonation: Zoom via lookalike domain
sublimehigh
Brand impersonation: Zoom with deceptive link display
sublimemedium
Brand spoof: Dropbox
sublimemedium
Callback phishing solicitation in message body
sublimemedium
Callback phishing via Adobe Sign comment
sublimehigh
Callback phishing via Apple ID display name abuse
sublimehigh
Callback phishing via DocuSign comment
sublimehigh
Callback phishing via e-signature service
sublimehigh
Callback phishing via extensionless rfc822 attachment
sublimehigh
Callback phishing via Google Group abuse
sublimehigh
Callback phishing via Intuit service abuse
sublimemedium
Callback phishing via Microsoft comment
sublimemedium
Callback Phishing via Signable E-Signature Request
sublimehigh
Callback phishing via SignFree e-signature request
sublimehigh
Callback phishing via Xodo Sign comment
sublimehigh
Callback phishing via Yammer comment
sublimemedium
Callback phishing via Zoho service abuse
sublimemedium
Callback Phishing via Zoom comment
sublimemedium
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
sublimemedium
Callback scam: Impersonation via TimeTrade infrastructure
sublimemedium
Canva infrastructure abuse
sublimemedium
Cloud storage impersonation with credential theft indicators
sublimemedium
Credential phishing: Blue button styled link with file-sharing template artifacts
sublimelow
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
sublimehigh
Credential phishing: Email delivery failure impersonation
sublimehigh
Credential phishing: Onedrive impersonation
sublimehigh
Credential phishing: Re-Authentication lure
sublimehigh
Credential phishing: Suspicious subject with urgent financial request and link
sublimemedium
Credential phishing: Tax form impersonation with payment request
sublimemedium
Current event: CrowdStrike impersonation
sublimelow
Cyrillic vowel substitutions with suspicious subject from unknown sender
sublimemedium
Deceptive Dropbox mention
sublimemedium
DocuSign impersonation via CloudHQ links
sublimemedium
DocuSign impersonation via spoofed Intuit sender
sublimehigh
Fake shipping notification with link to free file hosting
sublimelow
Fake Zoom meeting invite with suspicious link
sublimemedium