MITRE ATT&CK Technique
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also utilize links to perform consent phishing/spearphishing campaigns to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured into granting adversaries permissions/access via a malicious OAuth 2.0 request URL that when accepted by the user provide permissions/access for malicious applications.(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as “device code phishing,” an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-02T19:15:44.182Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may send spearphishing emails with a malicious '
'link in an attempt to gain access to victim systems. '
'Spearphishing with a link is a specific variant of '
'spearphishing. It is different from other forms of '
'spearphishing in that it employs the use of links to download '
'malware contained in email, instead of attaching malicious '
'files to the email itself, to avoid defenses that may inspect '
'email attachments. Spearphishing may also involve social '
'engineering techniques, such as posing as a trusted source.\n'
'\n'
'All forms of spearphishing are electronically delivered '
'social engineering targeted at a specific individual, '
'company, or industry. In this case, the malicious emails '
'contain links. Generally, the links will be accompanied by '
'social engineering text and require the user to actively '
'click or copy and paste a URL into a browser, leveraging '
'[User Execution](https://attack.mitre.org/techniques/T1204). '
'The visited website may compromise the web browser using an '
'exploit, or the user will be prompted to download '
'applications, documents, zip files, or even executables '
'depending on the pretext for the email in the first place.\n'
'\n'
'Adversaries may also include links that are intended to '
'interact directly with an email reader, including embedded '
'images intended to exploit the end system directly. '
'Additionally, adversaries may use seemingly benign links that '
'abuse special characters to mimic legitimate websites (known '
'as an "IDN homograph attack").(Citation: CISA IDN ST05-016) '
'URLs may also be obfuscated by taking advantage of quirks in '
'the URL schema, such as the acceptance of integer- or '
'hexadecimal-based hostname formats and the automatic '
'discarding of text before an “@” symbol: for example, '
'`hxxp://google.com@1157586937`.(Citation: Mandiant URL '
'Obfuscation 2023)\n'
'\n'
'Adversaries may also utilize links to perform consent '
'phishing/spearphishing campaigns to [Steal Application Access '
'Token](https://attack.mitre.org/techniques/T1528)s that grant '
'immediate access to the victim environment. For example, a '
'user may be lured into granting adversaries '
'permissions/access via a malicious OAuth 2.0 request URL that '
'when accepted by the user provide permissions/access for '
'malicious applications.(Citation: Trend Micro Pawn Storm '
'OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing '
'2021) These stolen access tokens allow the adversary to '
'perform various actions on behalf of the user via API '
'calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\n'
'\n'
'Similarly, malicious links may also target device-based '
'authorization, such as OAuth 2.0 device authorization grant '
'flow which is typically used to authenticate devices without '
'UIs/browsers. Known as “device code phishing,” an adversary '
'may send a link that directs the victim to a malicious '
'authorization page where the user is tricked into entering a '
'code/credentials that produces a device token.(Citation: '
'SecureWorks Device Code Phishing 2021)(Citation: Netskope '
'Device Code Phishing 2021)(Citation: Optiv Device Code '
'Phishing 2021)',
'external_references': [{'external_id': 'T1566.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1566/002'},
{'description': 'Australian Cyber Security Centre. '
'(2012, December). Mitigating Spoofed '
'Emails Using Sender Policy '
'Framework. Retrieved November 17, '
'2024.',
'source_name': 'ACSC Email Spoofing',
'url': 'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf'},
{'description': 'CISA. (2019, September 27). Security '
'Tip (ST05-016): Understanding '
'Internationalized Domain Names. '
'Retrieved October 20, 2020.',
'source_name': 'CISA IDN ST05-016',
'url': 'https://us-cert.cisa.gov/ncas/tips/ST05-016'},
{'description': 'Hacquebord, F.. (2017, April 25). '
'Pawn Storm Abuses Open '
'Authentication in Advanced Social '
'Engineering Attacks. Retrieved '
'October 4, 2019.',
'source_name': 'Trend Micro Pawn Storm OAuth 2017',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks'},
{'description': 'Jenko Hwong. (2021, August 10). New '
'Phishing Attacks Exploiting OAuth '
'Authorization Flows (Part 1). '
'Retrieved March 19, 2024.',
'source_name': 'Netskope Device Code Phishing 2021',
'url': 'https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1'},
{'description': 'Microsoft 365 Defender Threat '
'Intelligence Team. (2021, June 14). '
'Microsoft delivers comprehensive '
'solution to battle rise in consent '
'phishing emails. Retrieved December '
'13, 2021.',
'source_name': 'Microsoft OAuth 2.0 Consent Phishing '
'2021',
'url': 'https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/'},
{'description': 'Microsoft. (2020, October 13). '
'Anti-spoofing protection in EOP. '
'Retrieved October 19, 2020.',
'source_name': 'Microsoft Anti Spoofing',
'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'},
{'description': "Nick Simonian. (2023, May 22). Don't "
'@ Me: URL Obfuscation Through Schema '
'Abuse. Retrieved August 4, 2023.',
'source_name': 'Mandiant URL Obfuscation 2023',
'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'},
{'description': 'Optiv. (2021, August 17). Microsoft '
'365 OAuth Device Code Flow and '
'Phishing. Retrieved March 19, 2024.',
'source_name': 'Optiv Device Code Phishing 2021',
'url': 'https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing'},
{'description': 'SecureWorks Counter Threat Unit '
'Research Team. (2021, June 3). '
'OAuth’S Device Code Flow Abused in '
'Phishing Attacks. Retrieved March '
'19, 2024.',
'source_name': 'SecureWorks Device Code Phishing '
'2021',
'url': 'https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks'}],
'id': 'attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:48:34.123Z',
'name': 'Spearphishing Link',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Philip Winther',
'Shailesh Tiwary (Indian Army)',
'Mark Wee',
'Jeff Sakowicz, Microsoft Identity Developer '
'Platform Services (IDPM Services)',
'Saisha Agrawal, Microsoft Threat Intelligent Center '
'(MSTIC)',
'Kobi Haimovich, CardinalOps',
'Menachem Goldstein'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Identity Provider',
'Linux',
'macOS',
'Office Suite',
'SaaS',
'Windows'],
'x_mitre_version': '2.8'}