MITRE ATT&CK Technique
Description
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also embed “tracking pixels,” "web bugs," or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)(Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server.(Citation: Ryte Wiki)(Citation: IAPP) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor) Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-02T17:09:50.723Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may send spearphishing messages with a malicious '
'link to elicit sensitive information that can be used during '
'targeting. Spearphishing for information is an attempt to '
'trick targets into divulging information, frequently '
'credentials or other actionable information. Spearphishing '
'for information frequently involves social engineering '
'techniques, such as posing as a source with a reason to '
'collect information (ex: [Establish '
'Accounts](https://attack.mitre.org/techniques/T1585) or '
'[Compromise '
'Accounts](https://attack.mitre.org/techniques/T1586)) and/or '
'sending multiple, seemingly urgent messages.\n'
'\n'
'All forms of spearphishing are electronically delivered '
'social engineering targeted at a specific individual, '
'company, or industry. In this scenario, the malicious emails '
'contain links generally accompanied by social engineering '
'text to coax the user to actively click or copy and paste a '
'URL into a browser.(Citation: TrendMictro Phishing)(Citation: '
'PCMag FakeLogin) The given website may be a clone of a '
'legitimate site (such as an online or corporate login portal) '
'or may closely resemble a legitimate site in appearance and '
'have a URL containing elements from the real site. URLs may '
'also be obfuscated by taking advantage of quirks in the URL '
'schema, such as the acceptance of integer- or '
'hexadecimal-based hostname formats and the automatic '
'discarding of text before an “@” symbol: for example, '
'`hxxp://google.com@1157586937`.(Citation: Mandiant URL '
'Obfuscation 2023)\n'
'\n'
'Adversaries may also embed “tracking pixels,” "web bugs," or '
'"web beacons" within phishing messages to verify the receipt '
'of an email, while also potentially profiling and tracking '
'victim information such as IP address.(Citation: NIST Web '
'Bug)(Citation: Ryte Wiki) These mechanisms often appear as '
'small images (typically one pixel in size) or otherwise '
'obfuscated objects and are typically delivered as HTML code '
'containing a link to a remote server.(Citation: Ryte '
'Wiki)(Citation: IAPP)\n'
'\n'
'Adversaries may also be able to spoof a complete website '
'using what is known as a "browser-in-the-browser" (BitB) '
'attack. By generating a fake browser popup window with an '
'HTML-based address bar that appears to contain a legitimate '
'URL (such as an authentication portal), they may be able to '
'prompt users to enter their credentials while bypassing '
'typical URL verification methods.(Citation: ZScaler BitB '
'2020)(Citation: Mr. D0x BitB 2022)\n'
'\n'
'Adversaries can use phishing kits such as `EvilProxy` and '
'`Evilginx2` to perform adversary-in-the-middle phishing by '
'proxying the connection between the victim and the legitimate '
'website. On a successful login, the victim is redirected to '
'the legitimate website, while the adversary captures their '
'session cookie (i.e., [Steal Web Session '
'Cookie](https://attack.mitre.org/techniques/T1539)) in '
'addition to their username and password. This may enable the '
'adversary to then bypass MFA via [Web Session '
'Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: '
'Proofpoint Human Factor)\n'
'\n'
'Adversaries may also send a malicious link in the form of '
'Quick Response (QR) Codes (also known as “quishing”). These '
'links may direct a victim to a credential phishing '
'page.(Citation: QR-campaign-energy-firm) By using a QR code, '
'the URL may not be exposed in the email and may thus go '
'undetected by most automated email security scans.(Citation: '
'qr-phish-agriculture) These QR codes may be scanned by or '
'delivered directly to a user’s mobile device (i.e., '
'[Phishing](https://attack.mitre.org/techniques/T1660)), which '
'may be less secure in several relevant ways.(Citation: '
'qr-phish-agriculture) For example, mobile users may not be '
'able to notice minor differences between genuine and '
'credential harvesting websites due to mobile’s smaller form '
'factor.\n'
'\n'
'From the fake website, information is gathered in web forms '
'and sent to the adversary. Adversaries may also use '
'information from previous reconnaissance efforts (ex: [Search '
'Open '
'Websites/Domains](https://attack.mitre.org/techniques/T1593) '
'or [Search Victim-Owned '
'Websites](https://attack.mitre.org/techniques/T1594)) to '
'craft persuasive and believable lures.',
'external_references': [{'external_id': 'T1598.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1598/003'},
{'description': 'Australian Cyber Security Centre. '
'(2012, December). Mitigating Spoofed '
'Emails Using Sender Policy '
'Framework. Retrieved November 17, '
'2024.',
'source_name': 'ACSC Email Spoofing',
'url': 'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf'},
{'description': 'Babon, P. (2020, September 3). '
"Tricky 'Forms' of Phishing. "
'Retrieved October 20, 2020.',
'source_name': 'TrendMictro Phishing',
'url': 'https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html'},
{'description': 'IAPP. (n.d.). Retrieved March 5, '
'2024.',
'source_name': 'IAPP',
'url': 'https://iapp.org/resources/article/web-beacon/'},
{'description': 'Jonathan Greig. (2023, August 16). '
'Phishing campaign used QR codes to '
'target large energy company. '
'Retrieved November 27, 2023.',
'source_name': 'QR-campaign-energy-firm',
'url': 'https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm'},
{'description': 'Kan, M. (2019, October 24). Hackers '
'Try to Phish United Nations Staffers '
'With Fake Login Pages. Retrieved '
'October 20, 2020.',
'source_name': 'PCMag FakeLogin',
'url': 'https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages'},
{'description': 'Microsoft. (2020, October 13). '
'Anti-spoofing protection in EOP. '
'Retrieved October 19, 2020.',
'source_name': 'Microsoft Anti Spoofing',
'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'},
{'description': 'mr.d0x. (2022, March 15). Browser In '
'The Browser (BITB) Attack. Retrieved '
'March 8, 2023.',
'source_name': 'Mr. D0x BitB 2022',
'url': 'https://mrd0x.com/browser-in-the-browser-phishing-attack/'},
{'description': "Nick Simonian. (2023, May 22). Don't "
'@ Me: URL Obfuscation Through Schema '
'Abuse. Retrieved August 4, 2023.',
'source_name': 'Mandiant URL Obfuscation 2023',
'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'},
{'description': 'NIST Information Technology '
'Laboratory. (n.d.). web bug. '
'Retrieved March 22, 2023.',
'source_name': 'NIST Web Bug',
'url': 'https://csrc.nist.gov/glossary/term/web_bug'},
{'description': 'Proofpoint. (n.d.). The Human Factor '
'2023: Analyzing the cyber attack '
'chain. Retrieved July 20, 2023.',
'source_name': 'Proofpoint Human Factor',
'url': 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf'},
{'description': 'Ryte Wiki. (n.d.). Retrieved '
'November 17, 2024.',
'source_name': 'Ryte Wiki',
'url': 'https://en.ryte.com/wiki/Tracking_Pixel/'},
{'description': 'Tim Bedard and Tyler Johnson. (2023, '
'October 4). QR Code Scams & '
'Phishing. Retrieved November 27, '
'2023.',
'source_name': 'qr-phish-agriculture',
'url': 'https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing'},
{'description': 'ZScaler. (2020, February 11). Fake '
'Sites Stealing Steam Credentials. '
'Retrieved March 8, 2023.',
'source_name': 'ZScaler BitB 2020',
'url': 'https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials'}],
'id': 'attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:48:34.880Z',
'name': 'Spearphishing Link',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Philip Winther',
'Sebastian Salla, McAfee',
'Menachem Goldstein',
'Robert Simmons, @MalwareUtkonos',
'Elpidoforos Maragkos, @emaragkos',
'Joas Antonio dos Santos, @C0d3Cr4zy',
'Austin Herrin',
'Obsidian Security',
'Sam Seabrook, Duke Energy'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.7'}