T1598.002: Spearphishing Attachment
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email. In some cases, they may rely upon the recipient populating information, then returning the file.[1][2] The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. In other cases, adversaries may leverage techniques such as HTML Smuggling to harvest user credentials via fake login portals.[3]
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
Analyst context for executives and security teams
This technique is about targeted emails that use attachments to make people disclose useful information, often credentials or other details that improve later targeting. The business issue is not just “phishing”; it is pre-incident reconnaissance that can give an adversary better access, better impersonation material, and more convincing follow-on activity before malware or intrusion alerts ever appear.
Executive priority
Treat this as an early-warning control area for identity risk and incident readiness. Leaders should ask whether email security, user reporting, and security awareness can identify attachment-based information requests, not only malicious links or malware. This matters for continuity because stolen credentials or sensitive business details can enable later access attempts, fraud, or targeted compromise. It also creates audit value: evidence of user training, anti-spoofing posture, email handling configuration, and phishing-response workflows can demonstrate reasonable preventive and detective controls.
Technical view
ATT&CK places Spearphishing Attachment under reconnaissance on platform PRE and as a sub-technique of Phishing for Information. SOC and IR teams should validate visibility into targeted inbound messages with attachments that request users to fill in and return information, as well as attachments that may present fake login experiences such as HTML-based content. Because official detection text is not provided, detection engineering should map local controls to the related DET0865 detection strategy and test whether email, attachment, and user-reporting telemetry can distinguish business-process attachments from credential-harvesting or information-solicitation lures. Relationship context shows use by multiple ATT&CK groups, but that should be treated as threat-intelligence context, not evidence of local targeting.
Likely telemetry
- Inbound email gateway logs, including sender, recipient, subject, attachment names, attachment types, and delivery disposition
- Email authentication and anti-spoofing results such as SPF or equivalent sender-validation outcomes referenced by the supplied sources
- Attachment metadata and security inspection results, especially for document and HTML attachment types
- User-reported phishing submissions and help desk/security mailbox records
- Mail client or collaboration platform audit records showing attachment access, download, forwarding, or reply activity where available
Detection direction
- Confirm whether detections cover attachments used to solicit information, not only attachments that execute code or contain known malware.
- Tune for targeted business-context lures: urgent requests, requests to populate and return files, and messages appearing to come from business associates.
- Review blind spots around HTML attachments, locally rendered fake pages, spoofed senders, and attachments that evade link-focused phishing controls.
- Correlate email events with user reports and identity telemetry when credentials or actionable information may have been submitted.
- Account for false positives from legitimate forms, procurement documents, HR requests, and partner questionnaires by incorporating sender reputation, authentication results, business context, and recipient targeting patterns.
Mitigation priorities
- Prioritize M1017 User Training focused on recognizing and reporting attachment-based information requests, including files that ask users to enter credentials or business-sensitive details.
- Apply M1054 Software Configuration to harden email clients, attachment handling, and security settings that reduce exposure to unsafe attachment behavior.
- Validate anti-spoofing and sender-authentication controls using the supplied external-reference themes, while recognizing these controls do not stop all phishing from compromised or lookalike accounts.
- Establish a clear phishing-reporting and triage process so suspicious attachments can be reviewed before users respond or return completed files.
- Reduce the value of disclosed information through strong identity controls and rapid credential-reset procedures when users report possible credential submission.
Analyst notes and limits
The key decision value is coverage of reconnaissance-stage phishing. This object is different from malware-delivery phishing because the objective is information collection. The supplied relationships identify User Training and Software Configuration as mitigations and list several groups that have used the technique; those relationships support prioritizing awareness, email configuration, and threat-informed validation without asserting local exposure or active exploitation.
Official ATT&CK detection guidance is not provided for this object, and the DET0865 relationship details are sparse. Telemetry and control recommendations therefore require validation against the local email stack, identity environment, reporting process, and business workflows. No conclusion should be drawn about active targeting, attribution, or effective detection coverage from the supplied fields alone.
Spearphishing Attachment
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email. In some cases, they may rely upon the recipient populating information, then returning the file.[1][2] The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. In other cases, adversaries may leverage techniques such as HTML Smuggling to harvest user credentials via fake login portals.[3]
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598 | Phishing for Information | This object subtechnique of Phishing for Information. |
Groups, software, and campaigns
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G1033: Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
G0121: Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]
G1008: SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 8b388f1112bf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sophos Attachment
Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.
Open source URL -
[2]
GitHub Phishery
Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.
Open source URL -
[3]
Huntress HTML Smuggling 2024
Matt Kiely. (2024, July 5). Smuggler’s Gambit: Uncovering HTML Smuggling Adversary in the Middle Tradecraft. Retrieved March 18, 2025.
Open source URL -
[4]
ACSC Email Spoofing
Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
Open source URL -
[5]
Microsoft Anti Spoofing
Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
Open source URL -
[6]
mitre-attack T1598.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.