Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0107: Detection Strategy for Spearphishing Links

This detection strategy matters because spearphishing links are an initial-access path that can bypass attachment-focused email defenses by moving the mali...

EnterpriseDET0107Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because spearphishing links are an initial-access path that can bypass attachment-focused email defenses by moving the malicious content behind a URL. For executives and security leaders, the decision value is whether the organization can prove it sees and investigates suspicious link-based email activity before it becomes an identity, endpoint, or business-continuity incident.

Executive priority

Prioritize this as a control-validation and evidence question: can security teams show that link-based phishing attempts are logged, triaged, and connected to downstream identity or endpoint activity? Because the related ATT&CK technique is initial access and includes Identity Provider, Office Suite, Linux, and macOS contexts, leaders should ask whether email security, identity monitoring, endpoint visibility, and incident response playbooks work together rather than treating phishing as only an email problem.

Technical view

The ATT&CK object provides no official detection text, so SOC and detection engineering teams should derive validation from the relationship to T1566.002 Spearphishing Link. Confirm visibility into emails containing URLs, URL reputation or detonation outcomes where available, user click activity, redirects or downloads following clicks, authentication events after link interaction, and endpoint activity on Linux and macOS where those platforms are in scope. Treat detections as correlation problems: suspicious message plus URL interaction plus identity or endpoint follow-on behavior is usually more useful than any single indicator alone.

Likely telemetry

  • Email gateway or mail security logs showing messages, senders, recipients, URLs, and disposition
  • Office Suite audit logs for message delivery, user interaction, and link handling where available
  • Web proxy, DNS, secure web gateway, or browser telemetry for URL visits and redirects
  • Identity Provider authentication logs, including sign-in anomalies after suspected link interaction
  • Endpoint telemetry from Linux and macOS systems for downloads, process execution, and persistence-relevant follow-on activity

Detection direction

  • Validate that monitoring is not limited to malicious attachments; link-only phishing must be represented in alert logic and triage workflows.
  • Correlate suspicious inbound email URLs with user click telemetry and subsequent authentication or endpoint activity to reduce weak single-signal alerts.
  • Tune for business-approved bulk mail, marketing platforms, newsletters, and legitimate URL rewriting services to control false positives.
  • Check blind spots around personal webmail, unmanaged browsers, mobile access, encrypted DNS, and logs that do not preserve the original URL after rewriting or redirects.
  • Use the relationship to T1566.002 to test coverage against initial-access workflows, especially where identity provider and Office Suite activity are central to access decisions.

Mitigation priorities

  • Start by confirming mail security and user-reporting workflows capture link-based phishing, not only attachment-based threats.
  • Ensure identity controls and monitoring are prepared for credential exposure or suspicious sign-in activity following a link click.
  • Maintain endpoint visibility for Linux and macOS assets that may receive downloaded payloads after URL interaction.
  • Run incident response exercises that connect mailbox evidence, URL click evidence, identity logs, and endpoint investigation steps.
  • Use compliance and audit evidence to show phishing reporting, triage, investigation, and remediation are repeatable and documented.
Analyst notes and limits

This is a MITRE ATT&CK detection strategy object for DET0107, Detection Strategy for Spearphishing Links. The object itself has no official description, no official detection text, no tactics, and no platforms specified. The practical guidance above is therefore anchored to the supplied relationship showing that DET0107 detects T1566.002 Spearphishing Link, an initial-access technique associated with Identity Provider, Linux, macOS, and Office Suite contexts.

Local architecture determines the real coverage: ATT&CK does not state which logs are available, which controls are deployed, or what detection analytic MITRE recommends for this object. This take should be used as validation direction, not as a claim that detection is present or complete.

Official MITRE ATT&CK definition

Detection Strategy for Spearphishing Links

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1566.002 Spearphishing Link Sub-technique This object detects Spearphishing Link.
Relationship explorer

All related ATT&CK context

detects · Technique T1566.002: Spearphishing Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
69728e82080ec6d4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 69728e82080e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0107
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use