T1534: Internal Spearphishing
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.[1]
For example, adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic login interfaces.
Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.[2]
Analyst context for executives and security teams
Internal spearphishing matters because the message appears to come from someone the business already trusts. After an account or device is compromised, an adversary can use email, Office/SaaS workflows, or chat applications to reach additional employees, capture credentials, or deliver links and attachments. For leaders, this is a lateral-movement problem as much as a phishing problem: one compromised identity can become a launch point for broader access.
Executive priority
Treat this as a test of identity resilience, collaboration-platform monitoring, and incident response speed. Priority questions are: can the organization rapidly identify when a trusted account is being used abnormally, contain that account, warn likely recipients, and preserve evidence across mail, SaaS, chat, endpoint, and sign-in logs? This behavior is especially material for audit and resilience because it exposes gaps between phishing controls, IAM controls, and SOC visibility.
Technical view
ATT&CK maps T1534 to lateral movement across Linux, macOS, Windows, Office Suite, and SaaS environments. The supplied description highlights trusted internal accounts, impersonation, spearphishing attachments, spearphishing links, credential capture through fake login pages, and internal chat applications such as Microsoft Teams. SOC and IR teams should validate detections around compromised-account behavior sending unusual internal messages, links, or attachments; abnormal chat-based outreach; suspicious sign-in patterns before message bursts; and endpoint or web activity by recipients after interaction. The related detection strategy DET0054, Internal Spearphishing via Trusted Accounts, should be used as a coverage anchor where available.
Likely telemetry
- Mailbox audit logs and message trace data for internal sender-to-recipient activity
- Email security events for attachments, links, and delivery outcomes
- Office Suite and SaaS audit logs showing account activity, sharing, and authentication context
- Internal chat or collaboration audit logs, including message, file, and external-link metadata where available
- Identity provider sign-in logs, MFA/conditional access results, device context, and session anomalies
Detection direction
- Validate that detections look for trusted internal accounts sending atypical volumes, recipients, subjects, links, attachments, or chat messages, rather than only external phishing senders.
- Correlate pre-send account compromise signals with post-send recipient interaction; isolated email alerts may miss the lateral-movement sequence.
- Tune for false positives from legitimate internal campaigns, HR/recruiting activity, help desk workflows, and mass collaboration messages.
- Confirm visibility in chat and SaaS platforms, not only email gateways, because the ATT&CK description includes internal chat applications.
- Use relationship context conservatively: multiple ATT&CK groups, one campaign, and one software entry are linked to this technique, but those relationships do not prove local exposure or current activity.
Mitigation priorities
- Prioritize rapid account containment and credential reset procedures for suspected trusted-account abuse.
- Require strong identity controls for mail, Office Suite, SaaS, and chat access, including phishing-resistant authentication where feasible.
- Harden collaboration and email controls for internal links, attachments, impersonation indicators, and risky sharing behavior.
- Prepare IR playbooks that include recipient notification, message removal or quarantine where supported, log preservation, and review of downstream credential use.
- Run awareness and reporting processes that emphasize suspicious messages from internal accounts, not only unknown external senders.
Analyst notes and limits
MITRE provides no official detection text for this object, so defensive guidance is derived from the official description, platforms, lateral-movement tactic, external references, and the related DET0054 detection strategy name. The relationship set shows this technique is represented across several ATT&CK groups, a campaign, and software, which supports prioritizing coverage but should not be read as attribution for any local incident.
The supplied fields do not include specific indicators, detection logic, mitigations, or confirmed active exploitation. Local environment architecture, logging depth, retention, identity controls, and collaboration-platform configuration are required to assess actual coverage.
Internal Spearphishing
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.[1]
For example, adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic login interfaces.
Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
S9030: SameCoin
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 3d65bb47455f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro - Int SP
Trend Micro. (n.d.). Retrieved February 16, 2024.
Open source URL -
[2]
Int SP - chat apps
Microsoft Threat Intelligence. (2023, August 2). Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved February 16, 2024.
Open source URL -
[3]
mitre-attack T1534Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.