MITRE ATT&CK Technique
Description
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-02T19:05:18.137Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may send spearphishing emails with a malicious '
'attachment in an attempt to gain access to victim systems. '
'Spearphishing attachment is a specific variant of '
'spearphishing. Spearphishing attachment is different from '
'other forms of spearphishing in that it employs the use of '
'malware attached to an email. All forms of spearphishing are '
'electronically delivered social engineering targeted at a '
'specific individual, company, or industry. In this scenario, '
'adversaries attach a file to the spearphishing email and '
'usually rely upon [User '
'Execution](https://attack.mitre.org/techniques/T1204) to gain '
'execution.(Citation: Unit 42 DarkHydrus July 2018) '
'Spearphishing may also involve social engineering techniques, '
'such as posing as a trusted source.\n'
'\n'
'There are many options for the attachment such as Microsoft '
'Office documents, executables, PDFs, or archived files. Upon '
'opening the attachment (and potentially clicking past '
"protections), the adversary's payload exploits a "
"vulnerability or directly executes on the user's system. The "
'text of the spearphishing email usually tries to give a '
'plausible reason why the file should be opened, and may '
'explain how to bypass system protections in order to do so. '
'The email may also contain instructions on how to decrypt an '
'attachment, such as a zip file password, in order to evade '
'email boundary defenses. Adversaries frequently manipulate '
'file extensions and icons in order to make attached '
'executables appear to be document files, or files exploiting '
'one application appear to be a file for a different one. ',
'external_references': [{'external_id': 'T1566.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1566/001'},
{'description': 'Australian Cyber Security Centre. '
'(2012, December). Mitigating Spoofed '
'Emails Using Sender Policy '
'Framework. Retrieved November 17, '
'2024.',
'source_name': 'ACSC Email Spoofing',
'url': 'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf'},
{'description': 'Falcone, R., et al. (2018, July 27). '
'New Threat Actor Group DarkHydrus '
'Targets Middle East Government. '
'Retrieved August 2, 2018.',
'source_name': 'Unit 42 DarkHydrus July 2018',
'url': 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/'},
{'description': 'Microsoft. (2020, October 13). '
'Anti-spoofing protection in EOP. '
'Retrieved October 19, 2020.',
'source_name': 'Microsoft Anti Spoofing',
'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'},
{'description': 'Stepanic, D.. (2020, January 13). '
'Embracing offensive tooling: '
'Building detections against Koadic '
'using EQL. Retrieved November 17, '
'2024.',
'source_name': 'Elastic - Koadiac Detection with EQL',
'url': 'https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql'}],
'id': 'attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:48:35.522Z',
'name': 'Spearphishing Attachment',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Philip Winther'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '2.2'}