Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Initial Access/ T1566.001

T1566.001Spearphishing Attachment

T1566.001 — Spearphishing Attachment is a MITRE ATT&CK technique in the Initial Access tactic. Clankerusecase tracks 61 detection use cases covering it and 82 threat-intel articles citing it.

Initial Access
View on the matrix → Filter Detection Library MITRE official spec ↗
61Use cases
82Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1566 · Phishing

Use cases covering this technique (61)

Abnormal Security: malicious email opened Internal delivery · alerting DD Email attachment opened from external sender Internal delivery · hunting DSP Email Attachments With Lots Of Spaces ESCU actions · hunting P Suspicious Email Attachment Extensions ESCU actions · hunting P GSuite Email Suspicious Attachment ESCU actions · hunting P Gsuite Email Suspicious Subject With Attachment ESCU actions · hunting P Gsuite Email With Known Abuse Web Service Link ESCU actions · hunting P Gsuite Suspicious Shared File Name ESCU actions · hunting P O365 Email Reported By Admin Found Malicious ESCU actions · alerting P O365 Email Reported By User Found Malicious ESCU actions · alerting P O365 Safe Links Detection ESCU actions · alerting P O365 Threat Intelligence Suspicious Email Delivered ESCU actions · hunting P O365 ZAP Activity Detection ESCU actions · hunting P Detect Outlook exe writing a zip file ESCU actions · hunting P Windows CAB File on Disk ESCU actions · hunting P Windows Defender ASR Audit Events ESCU actions · hunting P Windows Defender ASR Block Events ESCU actions · hunting P Windows Defender ASR Rules Stacking ESCU actions · hunting P Windows ISO LNK File Creation ESCU actions · hunting P Windows Office Product Dropped Cab or Inf File ESCU actions · alerting P Windows Office Product Dropped Uncommon File ESCU actions · hunting P Windows Office Product Loaded MSHTML Module ESCU actions · hunting P Windows Office Product Loading Taskschd DLL ESCU actions · hunting P Windows Office Product Loading VBE7 DLL ESCU actions · hunting P Windows Office Product Spawned Child Process For Download ESCU actions · alerting P Windows Office Product Spawned Control ESCU actions · alerting P Windows Office Product Spawned MSDT ESCU actions · alerting P Windows Office Product Spawned Rundll32 With No DLL ESCU actions · alerting P Windows Office Product Spawned Uncommon Process ESCU actions · alerting P Windows Phishing PDF File Executes URL Link ESCU actions · hunting P Windows Phishing Recent ISO Exec Registry ESCU actions · hunting P Windows Spearphishing Attachment Onenote Spawn Mshta ESCU actions · alerting P Windows Universal Data Link File Creation ESCU actions · hunting P Windows Spearphishing Attachment Connect To None MS Office Domain ESCU actions · hunting P MSHTML Module Load in Office Product ESCU actions · alerting P Office Application Drop Executable ESCU actions · alerting P Office Application Spawn Regsvr32 process ESCU actions · alerting P Office Application Spawn rundll32 process ESCU actions · alerting P Office Document Creating Schedule Task ESCU actions · alerting P Office Document Executing Macro Code ESCU actions · alerting P Office Document Spawned Child Process To Download ESCU actions · alerting P Office Product Spawn CMD Process ESCU actions · alerting P Office Product Spawning BITSAdmin ESCU actions · alerting P Office Product Spawning CertUtil ESCU actions · alerting P Office Product Spawning MSHTA ESCU actions · alerting P Office Product Spawning Rundll32 with no DLL ESCU actions · alerting P Office Product Spawning Windows Script Host ESCU actions · alerting P Office Product Spawning Wmic ESCU actions · alerting P Office Product Writing cab or inf ESCU actions · alerting P Office Spawning Control ESCU actions · alerting P Windows Office Product Spawning MSDT ESCU actions · alerting P Winword Spawning Cmd ESCU actions · alerting P Winword Spawning PowerShell ESCU actions · alerting P Winword Spawning Windows Script Host ESCU actions · alerting P [LLM] ISO File Dropped to Downloads — RoguePlanet Defender Exploit Precursor Bespoke delivery · hunting DSΣPDDCS [LLM] Claude 'Appeal Request' phishing email with PDF attachment lure Bespoke delivery · alerting DSΣP [LLM] Screening Serpens recruitment lure — Hiring Portal.zip + job requisition PDFs Bespoke delivery · alerting DSΣPDDCS [LLM] Mailcow quarantine XSS via EICAR + HTML in attachment filename (GHSA-2xjc-rg88-jvpp) Bespoke delivery · alerting DSΣPDD [LLM] Silver Fox Japan tax-season lure: inbound email with Japanese HR/ESOP subject + gofile.io URL or RAR/ZIP Bespoke delivery · alerting DS [LLM] APT28 MacroMaze: Office or Edge HTTP traffic to webhook.site (INCLUDEPICTURE tracker + exfil) Bespoke c2 · hunting DSP [LLM] Inbound email with HTML attachment linking to unpkg.com Beamglea package Bespoke delivery · alerting DSP

Articles citing this technique (82)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
high npm v12 delivers one of the biggest security improvements in years art-46
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows art-71
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
high Reporting from Vegas: Networking, AI, and good boys art-126
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high It's time to treat browser extensions like supply chain attack vectors art-354
crit New NGate variant hides in a trojanized NFC payment app art-369
high Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow art-379
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Sednit reloaded: Back in the trenches art-477
crit Protecting education: How MDR can tip the balance in favor of schools art-491
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit ESET Threat Report H2 2025 art-647
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
high Snyk Joins CISA's Secure by Design Pledge art-828
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274
high Defense in Depth art-1278
crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294
high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362
high XS leaks: What they are and how to avoid them art-1419