Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0878: Detection of Spearphishing Link

DET0878 is a MITRE ATT&CK detection strategy for identifying spearphishing links associated with T1598.003, a reconnaissance behavior where adversaries sen...

EnterpriseDET0878Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0878 is a MITRE ATT&CK detection strategy for identifying spearphishing links associated with T1598.003, a reconnaissance behavior where adversaries send messages containing links intended to obtain sensitive information, often credentials or other targeting data. For leaders, the value is early-risk visibility: this behavior can precede account compromise, targeted intrusion planning, or follow-on social engineering, even before malware or endpoint activity exists.

Executive priority

Prioritize this as an early warning and control-validation area for identity risk, phishing resilience, and incident readiness. Executives should ask whether the organization can prove it sees suspicious links before and after user interaction, whether credential-harvesting attempts are tied into identity response workflows, and whether phishing-related evidence is retained for investigations and compliance reporting. Because the ATT&CK object provides no platform-specific guidance, investment decisions should be based on local exposure: messaging channels, identity providers, web access paths, and user populations most likely to receive targeted outreach.

Technical view

SOC and detection engineering teams should validate coverage around the related ATT&CK technique T1598.003, Spearphishing Link, under reconnaissance. Since the detection strategy has no official detection text or platform scope, treat it as a detection objective rather than a ready rule. Confirm that detections can correlate suspicious inbound messages, embedded URLs, user clicks, redirects, credential-entry indicators where available, and subsequent identity events. IR teams should ensure phishing-link investigations can answer: who received the link, who clicked, what information may have been submitted, what accounts were affected, and whether the event was part of broader targeting.

Likely telemetry

  • Inbound message metadata and content indicators, including sender, recipient, subject, timestamps, and embedded URLs
  • URL reputation, detonation, rewriting, or safe-link inspection results where available
  • User click telemetry for links delivered through messaging channels
  • Web proxy, secure web gateway, DNS, or network connection logs showing access to linked domains
  • Identity and authentication logs following link interaction, especially anomalous sign-in attempts or credential-use patterns

Detection direction

  • Validate that detections cover the reconnaissance-stage behavior, not only malware delivery; the related technique is about eliciting sensitive information through links.
  • Tune for targeted-message context such as unusual sender-recipient relationships, external senders, suspicious domains, newly observed URLs, or links leading to credential collection pages, while accounting for legitimate business outreach and marketing links as false-positive sources.
  • Correlate message receipt, link click, web access, and identity activity to reduce isolated-alert noise and improve incident triage.
  • Check blind spots in non-email messaging paths, personal-device access, encrypted web traffic visibility, short-lived URLs, URL shorteners, redirects, and links that only become suspicious after delivery.
  • Because ATT&CK provides no official detection logic for DET0878, require local testing with benign simulations or historical phishing cases before treating coverage as reliable.

Mitigation priorities

  • Start with prevention and exposure reduction: strengthen user reporting paths, message filtering, URL inspection, and controls that reduce credential submission risk.
  • Prioritize identity safeguards such as phishing-resistant authentication where feasible, conditional access, and rapid credential reset/session revocation procedures for suspected disclosure.
  • Ensure incident response playbooks cover spearphishing-link triage, user scoping, click analysis, credential-risk assessment, and evidence preservation.
  • Use awareness and executive-targeted training to reinforce reporting and reduce sensitive-information disclosure, especially for high-risk roles.
  • Maintain audit-ready evidence showing how suspicious links are detected, investigated, escalated, and remediated.
Analyst notes and limits

This take is based on ATT&CK detection strategy DET0878 and its relationship to T1598.003 Spearphishing Link. The detection strategy itself has no official description, detection text, platforms, or tactics, so the practical guidance is derived conservatively from the related technique description: adversaries may send spearphishing messages with malicious links to elicit sensitive information, frequently credentials or other actionable information.

Coverage cannot be inferred from the ATT&CK object alone. The object does not specify supported platforms, concrete analytics, data sources, false-positive guidance, or mitigations. Organizations must validate telemetry availability, retention, legal/privacy constraints, and detection performance in their own messaging, web, and identity environments.

Official MITRE ATT&CK definition

Detection of Spearphishing Link

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1598.003 Spearphishing Link Sub-technique This object detects Spearphishing Link.
Relationship explorer

All related ATT&CK context

detects · Technique T1598.003: Spearphishing Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a2642239d2a0ce0e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a2642239d2a0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0878
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use