DET0865: Detection of Spearphishing Attachment
DET0865 is a MITRE ATT&CK detection strategy for identifying spearphishing attachments associated with T1598.002. In business terms, this matters because t...
Analyst context for executives and security teams
DET0865 is a MITRE ATT&CK detection strategy for identifying spearphishing attachments associated with T1598.002. In business terms, this matters because the behavior is pre-compromise reconnaissance: adversaries may use malicious attachments to trick people into revealing credentials or other targeting information before a later intrusion attempt. The practical value is validating whether the organization can see, triage, and respond to suspicious attachment-driven phishing before it becomes an identity or incident-response problem.
Executive priority
Treat this as an early-warning control area for identity risk, executive targeting, and incident readiness. Leaders should ask whether teams can prove coverage for suspicious inbound attachments, user reporting, and follow-on credential exposure indicators. Because the ATT&CK object does not provide an official detection method, priority should be on evidence: what telemetry exists, who owns triage, how quickly users can report, and whether SOC and IR teams can connect a suspicious attachment to possible credential or information disclosure.
Technical view
This detection strategy is linked to T1598.002, Spearphishing Attachment, under reconnaissance with PRE platform context. SOC and detection teams should validate visibility into messages that include attachments, attachment metadata and content-analysis outcomes where available, user-reported phishing submissions, and any follow-on indicators that sensitive information may have been solicited or disclosed. Since the supplied ATT&CK object has no official detection text or platform list, local detection logic should be based on the organization’s actual mail, collaboration, identity, and case-management telemetry rather than assumed ATT&CK coverage.
Likely telemetry
- Inbound message metadata for messages containing attachments
- Attachment filenames, file types, hashes, sizes, and disposition results where collected
- Security tool verdicts from attachment scanning, detonation, or content inspection where deployed
- User-reported phishing submissions and help desk or SOC case records
- Message delivery, quarantine, release, and forwarding records
Detection direction
- Validate that attachment-bearing phishing reports and security alerts can be correlated to recipients, sender details, attachment attributes, and disposition decisions.
- Tune detections around suspicious attachment characteristics and social-engineering context, but account for false positives from normal business document exchange.
- Confirm whether pre-compromise reconnaissance events are tracked as intelligence and casework, not only as blocked email events.
- Check blind spots in non-email messaging channels, personal mail usage, encrypted archives, and attachments released from quarantine.
- Use the relationship to T1598.002 to frame detections around attempts to elicit credentials or actionable targeting information, not only malware delivery.
Mitigation priorities
- Prioritize reliable user reporting and SOC triage workflows for suspicious attachments.
- Maintain attachment handling controls such as scanning, quarantine, and safe review processes where applicable.
- Reduce the value of disclosed credentials through strong identity controls and rapid credential-response procedures.
- Ensure incident response playbooks include steps for identifying recipients, exposure scope, and potential information disclosure after a suspicious attachment event.
- Use tabletop or audit evidence to verify that telemetry, escalation paths, and ownership are documented.
Analyst notes and limits
The source object is a detection strategy, not a technique, and it has no official description or detection guidance. The main ATT&CK-supported context is its relationship to T1598.002, which describes spearphishing attachments used to elicit sensitive information during reconnaissance. Any specific analytic logic should be derived from the organization’s telemetry and control stack.
Platforms, tactics, and official detection text are not specified on DET0865. This take does not assert active exploitation, attribution, guaranteed detection coverage, or vendor-specific capability. Local validation is required to determine actual visibility and control effectiveness.
Detection of Spearphishing Attachment
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | This object detects Spearphishing Attachment. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 87adcfa9c6ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0865Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.