Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0236: Detection Strategy for Spearphishing Attachment across OS Platforms

DET0236 is a detection strategy object for Spearphishing Attachment, an initial-access behavior where adversaries use targeted emails with malicious attach...

EnterpriseDET0236Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0236 is a detection strategy object for Spearphishing Attachment, an initial-access behavior where adversaries use targeted emails with malicious attachments to try to gain access to Linux, macOS, or Windows systems. Its business significance is that a single opened attachment can become the starting point for an incident, so leaders should treat coverage as a cross-functional question spanning email security, endpoint visibility, user reporting, SOC triage, and incident response readiness.

Executive priority

Prioritize validation of the controls and evidence that determine whether malicious attachments are blocked, reported, investigated, and contained quickly. This matters for business continuity because spearphishing attachments target people and workflows, not just infrastructure. Executives should ask whether the organization can prove attachment handling controls are operating, whether SOC teams can connect email events to endpoint activity, and whether incident responders have a tested process for scoping affected users and systems.

Technical view

Because the official detection strategy text is not provided, defenders should anchor validation to the related ATT&CK technique T1566.001: Spearphishing Attachment, under Initial Access, with related platforms Linux, macOS, and Windows. SOC and detection teams should confirm they can correlate suspicious inbound email attachments with subsequent endpoint execution, file creation, process activity, quarantine events, and user-reported phishing. Detection logic should account for attachment delivery, attachment opening, and post-open activity rather than relying on a single email alert.

Likely telemetry

  • Email gateway or mail security logs for inbound messages, attachment metadata, sender details, and disposition
  • Mail header and message metadata retained for investigation
  • Attachment scanning, sandboxing, or detonation results where available
  • Endpoint telemetry on Linux, macOS, and Windows for file creation, process execution, and child processes associated with opened attachments
  • Endpoint protection or EDR alerts, quarantine events, and file reputation results

Detection direction

  • Validate that detections cover the full path from targeted email delivery to attachment interaction and endpoint behavior.
  • Tune correlations to connect recipient identity, message metadata, attachment indicators, and endpoint events after the attachment is opened.
  • Watch for blind spots where email logs are retained but attachment content, hashes, or sandbox verdicts are not available to investigators.
  • Account for false positives from legitimate business attachments, automated document workflows, and common archive or document formats.
  • Measure whether SOC playbooks can distinguish blocked delivery, delivered-but-unopened, opened-with-no-observed-execution, and opened-with-suspicious-endpoint-activity scenarios.

Mitigation priorities

  • Start with email attachment controls: filtering, malicious attachment blocking, scanning, sandboxing, and quarantine workflows where available.
  • Ensure users have a clear phishing-reporting path and that reports generate actionable SOC evidence.
  • Harden endpoint execution paths so opened attachments have limited ability to launch suspicious child processes or establish persistence.
  • Maintain incident response procedures for scoping recipients, retrieving message metadata, identifying opened attachments, and containing affected endpoints.
  • Use validation results as audit evidence for phishing defense, monitoring coverage, and response readiness rather than assuming email security alone provides complete coverage.
Analyst notes and limits

This take is based on the supplied detection strategy object and its relationship to T1566.001 Spearphishing Attachment. The object itself has no official description, no official detection text, no tactics listed, and no platforms listed; the initial-access tactic and Linux, macOS, and Windows platform context come from the related technique relationship.

Coverage and control recommendations must be validated against the local mail platform, endpoint telemetry, logging retention, and SOC workflow. The supplied ATT&CK fields do not provide specific analytic logic, data source mappings, mitigations, adversary procedures, or evidence of active exploitation.

Official MITRE ATT&CK definition

Detection Strategy for Spearphishing Attachment across OS Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1566.001 Spearphishing Attachment Sub-technique This object detects Spearphishing Attachment.
Relationship explorer

All related ATT&CK context

detects · Technique T1566.001: Spearphishing Attachment Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2ee29c66de70db6e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2ee29c66de70…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0236
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use