T1598.001: Spearphishing Service
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.[1] These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: Social Media or Search Victim-Owned Websites) to craft persuasive and believable lures.
Analyst context for executives and security teams
Spearphishing Service is reconnaissance-stage social engineering conducted through third-party services such as social media, personal webmail, or other channels outside enterprise control. The business risk is not only credential theft; it is that employees may disclose operational details, policies, service information, or other targeting data before traditional security controls ever see an inbound corporate email or malware payload.
Executive priority
Leaders should treat this as a pre-incident risk to identity security, help desk readiness, employee awareness, and incident escalation. Because the activity can occur on non-enterprise services, coverage depends on reporting culture, user training, and clear processes for handling suspicious outreach. Priority questions: do employees know what information must not be shared externally, how to report suspicious third-party messages, and whether SOC/IR teams can correlate reports with broader reconnaissance or phishing-for-information activity?
Technical view
For SOC and IR teams, validate coverage around the parent behavior Phishing for Information (T1598) with this sub-technique focused on third-party service delivery. ATT&CK provides no official detection text, but the relationship to DET0821 indicates a relevant detection strategy exists. Teams should not assume email gateway telemetry is sufficient; the key validation point is whether suspicious social media, personal webmail, recruiter-style messages, or other off-platform contacts can be reported, triaged, and correlated with identity or help desk events.
Likely telemetry
- User-reported suspicious messages from social media, personal webmail, and other third-party services
- Security awareness or phishing-reporting platform submissions where available
- Help desk records involving unusual information requests, account questions, or social engineering concerns
- Identity and access management logs that may show follow-on credential or account activity after reported outreach
- Case management or incident response notes linking employee reports to reconnaissance activity
Detection direction
- Validate whether detection workflows cover third-party service outreach, not only enterprise email phishing.
- Tune triage around requests for credentials, policies, services, environment details, job-opportunity pretexts, urgency, or rapport-building messages.
- Use relationship context: treat this as a sub-technique of Phishing for Information and correlate reports with broader reconnaissance indicators such as social media or victim-owned website information use when locally observed.
- Account for blind spots: many messages may occur outside managed networks or corporate mailboxes, so detection often depends on employee reporting and SOC intake quality.
- Avoid over-classifying benign recruiting, sales, or networking messages; focus on sensitive information requests, impersonation, urgency, and repeated targeting patterns.
Mitigation priorities
- Prioritize User Training (M1017) that specifically covers third-party messaging, social media contact, personal webmail, and requests for sensitive business or identity information.
- Define simple reporting paths for suspicious external outreach, including cases that occur outside corporate email.
- Reinforce data-handling rules so employees know which operational, policy, service, and credential-related information must not be disclosed through informal channels.
- Ensure SOC, help desk, and IR teams have playbooks for triaging reported social engineering and escalating when identity or account-security risk is suspected.
- Use exercises or awareness checks to validate that employees and contractors recognize phishing-for-information attempts, not only malware or link-based phishing.
Analyst notes and limits
ATT&CK places this sub-technique in the reconnaissance tactic on the PRE platform. The supplied relationship context includes a detection strategy relationship, a User Training mitigation, a parent relationship to Phishing for Information, and a campaign relationship to C0027. The C0027 relationship shows this behavior has appeared in ATT&CK campaign reporting, but local risk should be assessed against the organization’s exposure, reporting process, and identity controls.
Official ATT&CK detection guidance is not provided for this object, and the supplied fields do not include detailed procedures, indicators, or platform-specific logs. This take therefore emphasizes defensible validation areas rather than guaranteed detections. Local environment evidence is required to determine actual coverage.
Spearphishing Service
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.[1] These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: Social Media or Search Victim-Owned Websites) to craft persuasive and believable lures.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598 | Phishing for Information | This object subtechnique of Phishing for Information. |
Groups, software, and campaigns
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1960331987bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Social Media Phishing
O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1598.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.