Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0070: Detection Strategy for Phishing across platforms.

This detection strategy is mapped to ATT&CK Phishing (T1566), an initial-access behavior where adversaries use electronically delivered social engineering,...

EnterpriseDET0070Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is mapped to ATT&CK Phishing (T1566), an initial-access behavior where adversaries use electronically delivered social engineering, including malicious links or attachments, to gain access. For leaders, the value is not just “find phishing,” but proving whether the organization can see and respond to the user, identity, office-suite, and endpoint signals that often determine whether a phishing attempt becomes an incident.

Executive priority

Prioritize this as an initial-access readiness check. Executives should ask whether phishing defenses are measured with evidence: what messages reached users, which users interacted, whether identity controls detected suspicious sign-in activity, and whether SOC/IR teams can quickly connect email, Office Suite, identity provider, and Linux/macOS endpoint evidence. Because the official detection strategy has no detailed detection text, leadership should treat local telemetry validation and incident-response workflow testing as the decision point for investment and audit readiness.

Technical view

ATT&CK provides this object as DET0070, a detection strategy for Phishing across platforms, and relates it to T1566 under Initial Access. The detection strategy itself has no platform list and no official detection narrative, so SOC and detection engineering teams should scope validation to the related technique context: Identity Provider, Linux, macOS, and Office Suite. Validate whether alerts and investigations can pivot from suspicious electronic messages to link or attachment interaction, user identity activity, Office Suite events, and endpoint activity on supported systems.

Likely telemetry

  • Email or electronic-message metadata, including sender, recipient, subject, timestamps, URLs, and attachment indicators
  • Security gateway or message filtering verdicts and quarantine/release records
  • Office Suite audit events relevant to message access, file opening, link interaction, or mailbox activity
  • Identity Provider authentication logs, MFA events, session activity, and anomalous sign-in context
  • Linux and macOS endpoint process, file, and network telemetry following suspected link or attachment interaction

Detection direction

  • Confirm that phishing-related alerts can be correlated across message, identity, Office Suite, and endpoint data rather than reviewed as isolated events.
  • Validate coverage for both malicious attachments and malicious links, as the related ATT&CK technique description explicitly includes both.
  • Tune for false positives from legitimate bulk email, marketing platforms, file-sharing notifications, and normal user travel or device changes in identity logs.
  • Test investigation pivots from a suspicious message to affected users, authentication activity, and endpoint follow-on behavior on Linux/macOS where applicable.
  • Because the official detection field is not provided, avoid assuming DET0070 defines complete analytic logic; use it as a coverage objective tied to T1566.

Mitigation priorities

  • Establish baseline controls for filtering and handling electronically delivered social-engineering content before relying on downstream detection alone.
  • Ensure identity protections and response procedures are integrated with phishing triage, since the related platform context includes Identity Provider and the technique is initial access.
  • Maintain Office Suite logging and retention sufficient to reconstruct message delivery, user interaction, and related account activity.
  • Prepare incident response playbooks that connect reported or detected phishing to account containment, endpoint review, and evidence preservation.
  • Use phishing detection coverage as compliance and resilience evidence only after confirming local telemetry, alert routing, and analyst workflow are functioning.
Analyst notes and limits

The strongest use of this object is as a defensive coverage checkpoint for ATT&CK T1566. It is especially useful for assessing whether managed detection, incident response, identity security, and Office Suite monitoring are operationally connected. The ATT&CK object does not provide detection logic, so local control validation is required.

Official description, official detection text, tactics, and platforms are not specified on the detection-strategy object itself. Platform and tactic context comes only from the related T1566 technique. No claim is made about active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection Strategy for Phishing across platforms.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1566 Phishing This object detects Phishing.
Relationship explorer

All related ATT&CK context

detects · Technique T1566: Phishing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
60011a5c0ac995b1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 60011a5c0ac9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0070
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use