Home/ATT&CK Technique/Spearphishing Attachment
ICS ATT&CK

Spearphishing Attachment

T0865 · initial-access

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry.

In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments.

None

Actors Using This

4
dprk_lazarus_linked_dragos_tracked_ics_electric_sector_2017_2018_retiredCOVELLITE (Lazarus-linked ICS)
state_actor_dragos_tracked_cis_central_asia_espionage_focus_2023_disclosedGANANITE
russia_aligned_state_actor_dragos_tracked_distinct_from_sandworm_electrumKAMACITE
iran_attributed_dragos_tracked_ics_threat_group_2017_activeRASPITE (Leafminer)

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1588.006 · Vulnerabilities ×4.76
initial-access same
T0822 · External Remote Services ×26.44T0883 · Internet Accessible Device ×21.64T0866 · Exploitation of Remote Services ×19.83
persistence later
T0859 · Valid Accounts ×19.83T1037 · Boot or Logon Initialization Scripts ×3.66
privilege-escalation later
T1055.001 · Dynamic-link Library Injection ×5.06T1055 · Process Injection ×2.98
discovery later
T0846 · Remote System Discovery ×26.44T1046 · Network Service Discovery ×3.97T1614 · System Location Discovery ×2.70
exfiltration later
T1048 · Exfiltration Over Alternative Protocol ×2.48
other same
T1553.002 · Code Signing ×5.80T1553 · Subvert Trust Controls ×3.05T1620 · Reflective Code Loading ×2.98

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin