Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.

ID: T1566
Sub-techniques:  T1566.001, T1566.002, T1566.003
Tactic: Initial Access
Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Contributors: Philip Winther
Version: 2.2
Created: 02 March 2020
Last Modified: 04 January 2022

Procedure Examples

ID Name Description
G0001 Axiom

Axiom has used spear phishing to initially compromise victims.[1][2]


GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[3]

S0009 Hikit

Hikit has been spread through spear phishing.[2]


ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can automatically quarantine suspicious files.

M1031 Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.

M1021 Restrict Web-Based Content

Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[4][5]

M1017 User Training

Users can be trained to identify social engineering techniques and phishing emails.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[4][5]

URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.

Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once User Execution occurs.