T0865: Spearphishing Attachment

Spearphishing Attachment matters in ICS because a convincing email with a malicious file can turn a normal user action into access on systems that support operations, engineering, or remote management. ATT&CK links this technique to Workstations and Jump Hosts, so the business issue is not just email security; it is whether phishing-driven execution can create a path toward industrial environments and affect operational resilience.

Executive priority

Prioritize this as a control-validation and readiness question: are high-risk ICS users, engineering workstations, and jump-host access paths protected against malicious attachments, and can the SOC prove it with evidence? The supplied relationships point to user training, web/content restriction, network intrusion prevention, and antivirus/antimalware, with ICS-specific caution that controls must not disrupt real-time or safety-related operations.

Technical view

ATT&CK provides no official detection text, tactics, or technique platforms for T0865, but it states adversaries attach malware to targeted email and usually rely on User Execution. Validate coverage across the email-to-endpoint chain: delivery of targeted messages, attachment handling, user opening/execution, antimalware outcomes, and any follow-on network traffic. Relationship context shows targeting of ICS Workstations and Jump Hosts, so IR and detection teams should confirm whether those assets are included in logging, alert triage, and containment procedures.

Likely telemetry

Email gateway and mailbox logs for messages with attachments, sender details, recipients, and delivery outcomes
Attachment metadata and scanning results from mail, content-filtering, or sandboxing controls where available
Endpoint antivirus/antimalware alerts and quarantine events, especially for user workstations and jump hosts where deployed
Process or file execution evidence showing a user opened or executed an attachment, if collected locally
Network boundary IDS/IPS alerts or blocks associated with malicious attachment delivery or follow-on traffic

Detection direction

Map DET0781 and local detections to the full chain: targeted email received, attachment delivered, file opened, malware detected, and any outbound or lateral activity observed.
Tune for high-value recipients and ICS access roles, including operators, engineers, administrators, and users of jump hosts, rather than treating all phishing as equal risk.
Check blind spots where ICS workstations or jump hosts have limited endpoint tooling, restricted logging, or delayed log forwarding.
Account for false positives from legitimate business attachments, engineering files, maintenance communications, and supplier/vendor exchanges.
Use ATT&CK group and software relationships as threat-intelligence context only; do not infer current activity without local or external reporting.

Mitigation priorities

Start with role-specific user training for phishing and social engineering, especially personnel with access to ICS workstations or jump hosts.
Restrict risky web-based content, downloads, attachments, scripts, and browser extensions where operational requirements allow.
Use network intrusion prevention at boundaries, configured and tested so it does not disrupt ICS protocols or real-time control and safety communications.
Deploy or validate antivirus/antimalware on appropriate assets, following ATT&CK guidance to limit ICS deployment to systems where availability impact has been tested in a representative environment.
Ensure incident response playbooks cover malicious attachment reports, mailbox containment, endpoint isolation decisions, and escalation when an ICS access path is involved.

Analyst notes and limits

The ATT&CK object cites a historical Chinese gas pipeline intrusion campaign and maps the technique to multiple groups and malware entries, including Lazarus Group, OilRig, APT33, ALLANITE, BlackEnergy, and Backdoor.Oldrea. These relationships support prioritizing the behavior for ICS-focused threat modeling, but they do not establish current targeting or local exposure.

Official detection text, tactics, and technique platforms are not provided for this object. Telemetry and control recommendations are derived from the official description and supplied relationships, so local architecture, logging coverage, asset criticality, and change-control constraints must determine actual detection and mitigation scope.

Official MITRE ATT&CK definition

Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. [1]

A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G0064: APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

G1000: ALLANITE

ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. [1]

S0089: BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]

Windows

S0093: Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]

Windows

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0001: Workstation ICS uses · Group G0064: APT33 ICS detects · Detection Strategy DET0781: Detection of Spearphishing Attachment ICS uses · Group G0032: Lazarus Group ICS uses · Group G0049: OilRig ICS targets · ICS Asset A0012: Jump Host ICS uses · Group G1000: ALLANITE ICS mitigates · Mitigation M0917: User Training ICS mitigates · Mitigation M0931: Network Intrusion Prevention ICS mitigates · Mitigation M0949: Antivirus/Antimalware ICS mitigates · Mitigation M0921: Restrict Web-Based Content ICS uses · Malware S0089: BlackEnergy ICS uses · Malware S0093: Backdoor.Oldrea ICS

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 21, 2020, 17:43 UTC (UTC+00:00)
Modified: Apr 16, 2025, 21:26 UTC (UTC+00:00)
Raw hash: cbecee3bf7a3133f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 16, 2025, 21:26 UTC (UTC+00:00)	Current bundle	`cbecee3bf7a3…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Enterprise ATT&CK October 2019

Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25
Open source URL
[2]
CISA AA21-201A Pipeline Intrusion July 2021

Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08
Open source URL
[3]
mitre-attack T0865
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams