MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Initial Access/ T1566

T1566Phishing

T1566 — Phishing is a MITRE ATT&CK technique in the Initial Access tactic. Clankerusecase tracks 22 detection use cases covering it and 81 threat-intel articles citing it.

Initial Access

View on the matrix → Filter Detection Library MITRE official spec ↗

22Use cases

81Articles

4Sub-techniques

1Tactic

Sub-techniques (4)

T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.003 · Spearphishing via Service T1566.004 · Spearphishing Voice

Use cases covering this technique (22)

CrowdStrike Falcon alert ingested Internal actions · alerting DD Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal delivery · hunting DSP Gdrive suspicious file sharing ESCU actions · hunting P Gsuite suspicious calendar invite ESCU actions · hunting P Windows InProcServer32 New Outlook Form ESCU actions · hunting P Windows Phishing Outlook Drop Dll In FORM Dir ESCU actions · alerting P Zscaler Adware Activities Threat Blocked ESCU actions · hunting P Zscaler Behavior Analysis Threat Blocked ESCU actions · hunting P Zscaler CryptoMiner Downloaded Threat Blocked ESCU actions · hunting P Zscaler Employment Search Web Activity ESCU actions · hunting P Zscaler Exploit Threat Blocked ESCU actions · alerting P Zscaler Legal Liability Threat Blocked ESCU actions · hunting P Zscaler Malware Activity Threat Blocked ESCU actions · hunting P Zscaler Phishing Activity Threat Blocked ESCU actions · hunting P Zscaler Potentially Abused File Download ESCU actions · hunting P Zscaler Privacy Risk Destinations Threat Blocked ESCU actions · hunting P Zscaler Scam Destinations Threat Blocked ESCU actions · hunting P Zscaler Virus Download threat blocked ESCU actions · hunting P Suspicious Email - UBA Anomaly ESCU actions · hunting P [LLM] Inbound or outbound email involving AudiA6 mule-recruitment domains Bespoke delivery · alerting DSP [LLM] Baileys messages.upsert event carrying a requestId field (exploit signature) Bespoke actions · alerting SPDD [LLM] Roblox cheat/exploit download on enterprise endpoint (Lumma Stealer entry vector) Bespoke delivery · alerting DSΣPDDCS

Articles citing this technique (81)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01

med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18

med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28

crit Rethinking MDR as Attackers and Defenders Embrace AI art-30

high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33

high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36

high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41

high npm v12 delivers one of the biggest security improvements in years art-46

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

crit [GHSA / CRITICAL] CVE-2026-48063: Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted pr art-57

high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74

crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87

crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92

high When “Hi, This Is IT” Comes Through Microsoft Teams art-98

crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100

crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101

crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102

crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107

crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108

high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114

high Reporting from Vegas: Networking, AI, and good boys art-126

crit Malicious npm packages abuse dependency confusion to profile developer environments art-161

high What MDM can't protect on developer machines (and what to do about it) art-186

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187

crit ESET APT Activity Report Q4 2025–Q1 2026 art-189

med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322

high It's time to treat browser extensions like supply chain attack vectors art-354

crit New NGate variant hides in a trojanized NFC payment app art-369

high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408

high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420

high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426

crit EDR killers explained: Beyond the drivers art-455

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

crit Cyber fallout from the Iran war: What to have on your radar art-474

crit Sednit reloaded: Back in the trenches art-477

crit Protecting education: How MDR can tip the balance in favor of schools art-491

crit PlugX Meeting Invitation via MSBuild and GDATA art-503

high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

crit Naming and shaming: How ransomware groups tighten the screws on victims art-544

crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554

high npx Confusion: Packages That Forgot to Claim Their Own Name art-578

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605

crit ESET Threat Report H2 2025 art-647

crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654

med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694

crit ESET APT Activity Report Q2 2025–Q3 2025 art-715

crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736

crit Phishing Campaign Leveraging the NPM Ecosystem art-754

high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789

high npm Supply Chain Attack via Open Source maintainer compromise art-794

high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806

high Snyk Joins CISA's Secure by Design Pledge art-828

crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837

crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218

crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274

high Defense in Depth art-1278

crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294

high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362

high XS leaks: What they are and how to avoid them art-1419