DET0054: Internal Spearphishing via Trusted Accounts
DET0054 is a detection strategy for spotting internal spearphishing that comes from trusted accounts. The business concern is that once an account or devic...
Analyst context for executives and security teams
DET0054 is a detection strategy for spotting internal spearphishing that comes from trusted accounts. The business concern is that once an account or device is compromised, messages from that user may bypass normal suspicion and help an adversary move laterally to other users, data, or SaaS resources.
Executive priority
Treat this as an identity and collaboration-security resilience issue, not just an email-filtering problem. Leaders should ask whether the organization can prove suspicious internal messages, abnormal account use, and follow-on access attempts are visible across Office Suite/SaaS and supported endpoint environments. Because the ATT&CK entry provides no official detection logic, coverage should be validated with local telemetry and incident-response playbooks rather than assumed from tool ownership.
Technical view
This detection strategy is mapped to T1534 Internal Spearphishing under lateral movement. SOC and IR teams should validate whether they can correlate trusted-account messaging activity with authentication anomalies, SaaS audit events, mailbox or collaboration activity, and endpoint context on Linux/macOS where relevant. The key defensive question is whether an internally sourced message that looks legitimate can be tied back to account compromise indicators or unusual post-message access behavior.
Likely telemetry
- Internal email and collaboration message metadata, including sender, recipients, timestamps, links, attachments, and reply/forward patterns
- Office Suite and SaaS audit logs for mailbox, file-sharing, application, and administrative activity
- Identity and access logs for successful and failed sign-ins, session changes, MFA events, and unusual source locations or devices
- Endpoint telemetry from supported user systems where available, especially evidence that a trusted account is being used from a compromised device
- Network or proxy logs for link clicks, file downloads, and SaaS access following internal messages
Detection direction
- Do not rely only on external phishing controls; validate visibility into internally sent messages from legitimate accounts.
- Correlate internal message bursts, unusual recipient selection, abnormal attachment/link use, or unexpected file-sharing with identity and SaaS activity around the same account.
- Tune for false positives from normal business workflows such as broad internal announcements, shared mailbox use, delegated access, and automated SaaS notifications.
- Prioritize detections that connect message activity to signs of account or device compromise, because the relationship context indicates the behavior occurs after access to an internal account or system.
- Test whether the SOC can pivot from a suspicious internal message to the sending account’s authentication history, endpoint state, and follow-on recipient activity.
Mitigation priorities
- Strengthen identity controls for trusted accounts, including MFA and monitoring of anomalous sessions where applicable.
- Ensure Office Suite and SaaS audit logging is enabled, retained, and accessible to detection and IR teams.
- Harden collaboration and mail workflows so internal messages with links, attachments, or file shares are still inspectable and reportable.
- Prepare IR procedures for rapid containment of a suspected sending account, review of messages sent during the compromise window, and assessment of affected recipients.
- Use awareness and reporting processes that explicitly include suspicious internal messages, not only messages from external senders.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The practical take is derived from its relationship to T1534 Internal Spearphishing, which is a lateral-movement technique involving use of a legitimate internal account or compromised user device to target additional users or information.
Platforms and tactics are not specified on DET0054 itself. Related technique context lists lateral movement and platforms including Linux, macOS, Office Suite, and SaaS, but local relevance depends on the organization’s actual messaging, identity, endpoint, and SaaS architecture. No active exploitation, attribution, specific tooling, or guaranteed detection coverage is stated by the supplied fields.
Internal Spearphishing via Trusted Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1534 | Internal Spearphishing | This object detects Internal Spearphishing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 89702a3071f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.