MITRE ATT&CK Technique
Initial Access T1192
Description

Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)

Supported Platforms
Windows macOS Linux Office 365 SaaS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2018-04-18T17:59:24.739Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Spearphishing with a link is a specific variant of '
                'spearphishing. It is different from other forms of '
                'spearphishing in that it employs the use of links to download '
                'malware contained in email, instead of attaching malicious '
                'files to the email itself, to avoid defenses that may inspect '
                'email attachments. \n'
                '\n'
                'All forms of spearphishing are electronically delivered '
                'social engineering targeted at a specific individual, '
                'company, or industry. In this case, the malicious emails '
                'contain links. Generally, the links will be accompanied by '
                'social engineering text and require the user to actively '
                'click or copy and paste a URL into a browser, leveraging '
                '[User Execution](https://attack.mitre.org/techniques/T1204). '
                'The visited website may compromise the web browser using an '
                'exploit, or the user will be prompted to download '
                'applications, documents, zip files, or even executables '
                'depending on the pretext for the email in the first place. '
                'Adversaries may also include links that are intended to '
                'interact directly with an email reader, including embedded '
                'images intended to exploit the end system directly or verify '
                'the receipt of an email (i.e. web bugs/web beacons). Links '
                'may also direct users to malicious applications  designed to '
                '[Steal Application Access '
                'Token](https://attack.mitre.org/techniques/T1528)s, like '
                'OAuth tokens, in order to gain access to protected '
                'applications and information.(Citation: Trend Micro Pawn '
                'Storm OAuth 2017)',
 'external_references': [{'external_id': 'T1192',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1192'},
                         {'external_id': 'CAPEC-163',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/163.html'},
                         {'description': 'Hacquebord, F.. (2017, April 25). '
                                         'Pawn Storm Abuses Open '
                                         'Authentication in Advanced Social '
                                         'Engineering Attacks. Retrieved '
                                         'October 4, 2019.',
                          'source_name': 'Trend Micro Pawn Storm OAuth 2017',
                          'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks'}],
 'id': 'attack-pattern--20138b9d-1aac-4a26-8654-a36b6bbf2bba',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'initial-access'}],
 'modified': '2025-10-24T17:48:30.500Z',
 'name': 'Spearphishing Link',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Shailesh Tiwary (Indian Army)',
                          'Mark Wee',
                          'Jeff Sakowicz, Microsoft Identity Developer '
                          'Platform Services (IDPM Services)',
                          'Saisha Agrawal, Microsoft Threat Intelligent Center '
                          '(MSTIC)'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows', 'macOS', 'Linux', 'Office 365', 'SaaS'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About