Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1598.003: Spearphishing Link

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.[1][2] The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.[3]

Adversaries may also embed “tracking pixels,” "web bugs," or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.[4][5] These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server.[5][6]

Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.[7][8]

Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.[9]

Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.[10] By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.[11] These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., Phishing), which may be less secure in several relevant ways.[11] For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor.

From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

EnterpriseT1598.003Sub-techniqueObject v1.7 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Spearphishing Link matters because it can turn a normal email, message, QR code, or fake login page into reconnaissance that harvests credentials, session cookies, or other actionable information before a visible intrusion occurs. For leaders, this is primarily an identity and access risk: the business impact depends less on malware execution and more on whether users, email controls, web controls, and identity monitoring can prevent or quickly validate credential exposure.

Executive priority

Treat this as a control-validation issue across email security, identity security, cloud/SaaS access, and incident response. Executives should ask whether the organization can prove: phishing links and QR-code lures are inspected, suspicious clicks are visible, credential submission events can be investigated, and suspected session-cookie theft can trigger rapid account containment. Because ATT&CK lists this as reconnaissance, response playbooks should not wait for endpoint malware before taking identity-focused action.

Technical view

This is ATT&CK T1598.003, a PRE-platform reconnaissance sub-technique under Phishing for Information. The official detection field is not provided, but ATT&CK relates DET0878, Detection of Spearphishing Link, and mitigations M1017 User Training and M1054 Software Configuration. SOC and IR teams should validate visibility across targeted messages, URLs, URL obfuscation patterns, fake login portals, tracking pixels/web beacons, browser-in-the-browser style credential prompts, QR-code links, and adversary-in-the-middle phishing frameworks such as evilginx2 where identity/session telemetry is available. Triage should focus on whether information was submitted, whether credentials or session cookies may have been exposed, and whether follow-on sign-ins align with the user’s normal behavior.

Likely telemetry

  • Email gateway and mailbox logs, including sender, recipient, headers, authentication results, embedded links, HTML content, image loads, and attachments or QR-code images
  • URL rewriting, detonation, safe-link, proxy, secure web gateway, DNS, and browser history records showing link visits or blocked navigation
  • Identity provider and SaaS sign-in logs, including new device, new location, impossible or unusual travel, MFA events, session creation, and token/session activity
  • Web server or remote image request evidence where tracking pixels or web beacons are suspected
  • User-reported phishing submissions and help desk records tied to targeted messages

Detection direction

  • Do not rely only on attachment or malware alerts; this behavior may only collect information and may not execute code.
  • Validate detection for URL obfuscation techniques described by ATT&CK, including misleading text before an @ symbol and integer- or hexadecimal-based hostnames.
  • Tune email and web detections for cloned login portals, lookalike URLs, urgent social-engineering language, remote image loads, and QR-code links while accounting for benign marketing trackers and legitimate business links.
  • Correlate message receipt, link click, credential-entry suspicion, and subsequent identity-provider activity; the decisive evidence is often in identity and SaaS logs rather than endpoint telemetry.
  • Review whether mobile-device interactions create blind spots, especially when QR codes move the user from corporate email tooling to a less-monitored browser or device.

Mitigation priorities

  • Prioritize user training that specifically covers targeted credential-harvesting links, fake login portals, QR-code phishing, browser-in-the-browser prompts, and reporting suspicious messages.
  • Harden software and service configuration for email, browser, SaaS, and identity platforms, including anti-spoofing and phishing-resistant settings where available.
  • Ensure account containment procedures can rapidly reset credentials, revoke sessions, and review MFA/session activity when a user may have submitted credentials or exposed a session cookie.
  • Test controls with safe simulations that measure reporting, email inspection, URL analysis, QR-code handling, and identity-response workflows rather than only attachment-based phishing.
  • Maintain audit evidence showing training coverage, configuration reviews, phishing-report handling, and incident response decisions for suspected credential exposure.
Analyst notes and limits

The ATT&CK object emphasizes information gathering through spearphishing links, including fake portals, URL obfuscation, tracking pixels, browser-in-the-browser deception, adversary-in-the-middle phishing kits, and QR-code phishing. Relationship context includes DET0878 for detection, M1017 and M1054 for mitigation, T1598 as the parent technique, and multiple associated groups and software, including evilginx2. Use those relationships as prioritization context, not proof of current activity in any environment.

MITRE does not provide official detection text for this object in the supplied fields. This take therefore identifies evidence classes and validation questions rather than guaranteed analytics. Actual coverage depends on the organization’s email stack, web controls, identity provider logging, SaaS visibility, mobile telemetry, retention, and phishing-report workflow.

Official MITRE ATT&CK definition

Spearphishing Link

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.[1][2] The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.[3]

Adversaries may also embed “tracking pixels,” "web bugs," or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.[4][5] These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server.[5][6]

Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.[7][8]

Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.[9]

Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.[10] By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.[11] These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., Phishing), which may be less secure in several relevant ways.[11] For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor.

From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1598 Phishing for Information This object subtechnique of Phishing for Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0121: Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]

Group Enterprise

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

Group Enterprise

G0122: Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]

Group Enterprise

G0128: ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[1][2]

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Group Enterprise

G1033: Star Blizzard

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]

Group Enterprise

G1036: Moonstone Sleet

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]

Tool Enterprise

S0677: AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]

WindowsOffice SuiteIdentity Provider
Malware Enterprise

S0649: SMOKEDHAM

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[1][2]

Windows
Tool Enterprise

S9003: evilginx2

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.[1][2][3]

IaaSIdentity ProviderOffice Suite
Relationship explorer

All related ATT&CK context

uses · Group G0121: Sidewinder Enterprise uses · Group G1015: Scattered Spider Enterprise uses · Group G0129: Mustang Panda Enterprise uses · Group G0034: Sandworm Team Enterprise uses · Group G0122: Silent Librarian Enterprise detects · Detection Strategy DET0878: Detection of Spearphishing Link Enterprise uses · Tool S0677: AADInternals Enterprise mitigates · Mitigation M1017: User Training Enterprise uses · Group G0128: ZIRCONIUM Enterprise uses · Group G0050: APT32 Enterprise uses · Group G0094: Kimsuky Enterprise uses · Group G0059: Magic Hound Enterprise uses · Malware S0649: SMOKEDHAM Enterprise uses · Group G0007: APT28 Enterprise uses · Group G1033: Star Blizzard Enterprise uses · Group G1036: Moonstone Sleet Enterprise uses · Group G1012: CURIUM Enterprise uses · Group G0035: Dragonfly Enterprise subtechnique of · Technique T1598: Phishing for Information Enterprise uses · Tool S9003: evilginx2 Enterprise uses · Group G0040: Patchwork Enterprise mitigates · Mitigation M1054: Software Configuration Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Mitigation Enterprise

M1054: Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

- Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

- Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

- Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies.

*Tools for Implementation*

Configuration Management Tools:

- Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

- CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

- Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

- Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.7
Created
Modified
Raw hash
d8ec3cc9a46ec491...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.7 Current bundle d8ec3cc9a46e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMictro Phishing

    Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    PCMag FakeLogin

    Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.

    Open source URL
  3. [3]
    Mandiant URL Obfuscation 2023

    Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.

    Open source URL
  4. [4]
    NIST Web Bug

    NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.

    Open source URL
  5. [5]
    Ryte Wiki

    Ryte Wiki. (n.d.). Retrieved November 17, 2024.

    Open source URL
  6. [6]
    IAPP

    IAPP. (n.d.). Retrieved March 5, 2024.

    Open source URL
  7. [7]
    ZScaler BitB 2020

    ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.

    Open source URL
  8. [8]
    Mr. D0x BitB 2022

    mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.

    Open source URL
  9. [9]
    Proofpoint Human Factor

    Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.

    Open source URL
  10. [10]
    QR-campaign-energy-firm

    Jonathan Greig. (2023, August 16). Phishing campaign used QR codes to target large energy company. Retrieved November 27, 2023.

    Open source URL
  11. [11]
    qr-phish-agriculture

    Tim Bedard and Tyler Johnson. (2023, October 4). QR Code Scams & Phishing. Retrieved November 27, 2023.

    Open source URL
  12. [12]
    ACSC Email Spoofing

    Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.

    Open source URL
  13. [13]
    Microsoft Anti Spoofing

    Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

    Open source URL
  14. [14]
    mitre-attack T1598.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use