DET0821: Detection of Spearphishing Service
DET0821 is a MITRE detection strategy for Spearphishing Service, a reconnaissance behavior where adversaries use third-party services to solicit sensitive...
Analyst context for executives and security teams
DET0821 is a MITRE detection strategy for Spearphishing Service, a reconnaissance behavior where adversaries use third-party services to solicit sensitive information such as credentials or other targeting details. The business issue is not only email filtering; it is whether the organization can recognize and respond when employees are socially engineered through services that may sit outside normal corporate messaging controls.
Executive priority
Treat this as an early-warning and exposure-reduction problem. Leaders should ask whether security, identity, help desk, and incident response teams have a defined path for handling reports of suspicious third-party service messages before disclosed information becomes useful to an adversary. Because the ATT&CK object provides no official detection logic or platform scope, coverage should be proven with local evidence rather than assumed from a tool deployment.
Technical view
This detection strategy is related to ATT&CK T1598.001, Spearphishing Service, under reconnaissance with PRE as the related platform context. SOC and IR teams should validate whether they can identify suspicious attempts to collect credentials or actionable information through third-party services, correlate those reports with identity activity, and preserve enough context to determine whether information was disclosed. Since MITRE provides no official detection text for DET0821, detection engineering should start from local phishing intake workflows, reported messages, identity logs, and incident triage records rather than a predefined ATT&CK analytic.
Likely telemetry
- User-reported suspicious messages or service invitations
- Phishing triage and case management records
- Third-party service notification content when available to the organization
- Identity and authentication logs for accounts potentially solicited
- Help desk or security awareness reports indicating possible credential or sensitive information disclosure
Detection direction
- Validate that phishing reporting paths include third-party service messages, not only traditional email attachments and links.
- Tune triage to distinguish legitimate business use of external services from messages requesting credentials, account details, or other targeting information.
- Correlate reported solicitations with subsequent identity activity for the affected users, while avoiding assumptions that every solicitation led to compromise.
- Confirm whether security teams can retain message metadata, sender/service context, recipient, timing, and user response status for incident decisions.
- Document blind spots where messages occur outside monitored corporate channels or where third-party service content is unavailable.
Mitigation priorities
- Prioritize user reporting, security awareness, and clear escalation paths for suspicious third-party service requests.
- Ensure identity controls and response playbooks cover suspected credential disclosure or sensitive information exposure.
- Review business use of third-party services and define acceptable request patterns so SOC teams have context for triage.
- Maintain incident response procedures for confirming whether information was provided and for taking proportionate containment actions.
- Use audit and compliance evidence to show that reported social engineering attempts are tracked, investigated, and linked to identity response where appropriate.
Analyst notes and limits
The value of DET0821 is in validating organizational readiness around reconnaissance-stage social engineering through services that may not be fully visible to standard email security monitoring. Relationship context ties it specifically to T1598.001 Spearphishing Service; the detection strategy itself does not provide a formal analytic, data source list, or platform coverage.
Official description, official detection guidance, tactics, and platforms are not specified for the detection strategy object. Recommendations therefore rely on the supplied relationship to T1598.001 and require local environment validation. No active exploitation, attribution, impact, or guaranteed detection coverage is implied.
Detection of Spearphishing Service
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598.001 | Spearphishing Service Sub-technique | This object detects Spearphishing Service. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | acd0bd8556e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0821Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.