Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Initial Access/ T1566.002

T1566.002Spearphishing Link

T1566.002 — Spearphishing Link is a MITRE ATT&CK technique in the Initial Access tactic. Clankerusecase tracks 43 detection use cases covering it and 135 threat-intel articles citing it.

Initial Access
View on the matrix → Filter Detection Library MITRE official spec ↗
43Use cases
135Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1566 · Phishing

Use cases covering this technique (43)

Phishing-link click correlated to endpoint execution Internal delivery · alerting DSP User clicked through a Safe Links warning page Internal delivery · alerting DS Click on URL whose host doesn't match the sender domain Internal delivery · hunting DS [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD Azure AD Device Code Authentication ESCU actions · alerting P O365 Email Reported By Admin Found Malicious ESCU actions · alerting P O365 Email Reported By User Found Malicious ESCU actions · alerting P O365 Threat Intelligence Suspicious Email Delivered ESCU actions · hunting P O365 ZAP Activity Detection ESCU actions · hunting P Process Creating LNK file in Suspicious Location ESCU actions · hunting P Windows Defender ASR Audit Events ESCU actions · hunting P Windows Defender ASR Block Events ESCU actions · hunting P Windows Defender ASR Rules Stacking ESCU actions · hunting P [LLM] Raviral.com Sniper Dz kit endpoints accessed (k_fac.php / track.js) Bespoke delivery · alerting DSΣPDDCS [LLM] Phishing email click landing on Sniper Dz infrastructure (URL/click correlation) Bespoke delivery · alerting DSPDD [LLM] Brand-impersonating phishing pages on abused free-hosting platforms (Sniper Dz pattern) Bespoke delivery · hunting DSPDDCS [LLM] phpBB password-reset Host header injection (CVE-2026-29199 exploitation) Bespoke exploit · alerting SΣP [LLM] Outlook preview-pane Type Confusion exploit chain (Outlook → Word → LOLBin) Bespoke delivery · alerting DSΣPDDCS [LLM] ChatGPT Plus payment-update phishing emails (display-name + subject lure) Bespoke delivery · alerting DSΣP [LLM] Phishing redirect chain via awstrack.me / Rebrandly into AI-themed landing path Bespoke delivery · hunting DSPDDCS [LLM] World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Bespoke delivery · hunting DSΣPDDCS [LLM] BTMOB Android RAT APK SHA256 sighting in file or email telemetry Bespoke delivery · hunting DSΣPDDCS [LLM] UTA0355 device-code phishing: deviceCode auth flow with cross-IP token redemption Bespoke delivery · alerting DSPDD [LLM] Mail-borne click to fake FIFA World Cup 2026 phishing domain Bespoke delivery · alerting DSΣPDDCS [LLM] Hoppscotch device-login open redirect token theft via localhost.* / sslip.io bypass Bespoke exploit · alerting DSΣPDDCS [LLM] Silver Fox Japan tax-season lure: inbound email with Japanese HR/ESOP subject + gofile.io URL or RAR/ZIP Bespoke delivery · alerting DS [LLM] gofile.io archive download by browser followed by extracted-EXE execution within 30 minutes Bespoke install · alerting DS [LLM] PlugX phishing lure — 'Meeting Invitation' email linking to gesecole.net ZIP Bespoke delivery · hunting DSΣPDD [LLM] User-targeted SvelteSpill exploit URL delivered or clicked (CVE-2026-27118) Bespoke delivery · alerting DSΣPDD [LLM] Phishing email impersonating npm support from typosquatted npmjs.help domain Bespoke delivery · alerting DSΣP [LLM] Aikido npm phishing: direct outbound connection to RackGenius C2 (163.123.236.118) Bespoke c2 · hunting DSΣPDDCS [LLM] Aikido npm phishing: DNS / web request to siemens-energy.icu or siemensergy.icu typosquats Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido campaign: jsDelivr CDN fetch of weaponised flockiali/opresc/prndn/oprnm/operni npm package Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido npm phishing: user clicked phishing URL hosting /DIVzTaSF credential capture Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido npm phishing: inbound email containing jsDelivr link to flockiali/opresc/prndn/oprnm/operni Bespoke delivery · alerting DSΣPDD [LLM] DNS / outbound connection to npnjs[.]com phishing infrastructure Bespoke delivery · alerting DSΣPDD [LLM] ESET-impersonating typosquat domain contact (InedibleOchotense / Kalambur delivery) Bespoke delivery · alerting DSΣPDDCS [LLM] DreamJob trojanized PDF/installer execution from job-lure decoy folder Bespoke delivery · hunting DSΣPDDCS [LLM] Connection to Beamglea phishing credential-harvesting domains Bespoke actions · alerting DSΣPDDCS [LLM] Inbound phishing email from npmjs.help maintainer-takeover domain Bespoke delivery · alerting DSΣPDD [LLM] Browser/HTTPS traffic to npmjs.help credential-harvesting page Bespoke delivery · alerting DSΣPDDCS [LLM] npm registry typosquat npnjs.com — DNS / URL click (eslint-config-prettier maintainer phishing kit) Bespoke delivery · alerting DSΣPDDCS

Articles citing this technique (135)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44
high npm v12 delivers one of the biggest security improvements in years art-46
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE art-62
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67
high 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums art-69
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows art-71
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74
crit Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities art-76
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
high Meta to Use Off-Site Business Data for Feed and AI Personalization art-81
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
high Securing CI/CD in an agentic world: Claude Code Github action case art-117
high Reporting from Vegas: Networking, AI, and good boys art-126
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp art-127
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Multiple redhat-cloud-services npm Packages compromised art-144
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high It's time to treat browser extensions like supply chain attack vectors art-354
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
crit New NGate variant hides in a trojanized NFC payment app art-369
crit What the ransom note won’t say art-370
high Aikido Attack finds multiple 0-days in Hoppscotch art-406
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Sednit reloaded: Back in the trenches art-477
crit Protecting education: How MDR can tip the balance in favor of schools art-491
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
med Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan art-593
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit ESET Threat Report H2 2025 art-647
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
high SHA1-Hulud, npm supply chain incident art-686
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit The who, where, and how of APT attacks in Q2 2025–Q3 2025 art-714
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
crit Gotta fly: Lazarus targets the UAV sector art-734
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
high Snyk Joins CISA's Secure by Design Pledge art-828
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
low AI Trust in Action: How Snyk Agent Redefines Secure Development art-885
med Securing GenAI Development with Snyk art-1035
high The persistent threat: Why major vulnerabilities like Log4Shell and Spring4Shell remain significant art-1165
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
high Building an npm package compatible with ESM and CJS in 2024 art-1258
high Exploiting HTTP/2 CONTINUATION frames for DoS attacks art-1265
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274
high Defense in Depth art-1278
crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294
high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362
high XS leaks: What they are and how to avoid them art-1419