Skip to content

T0865 Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. 2

A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. 1

Item Value
ID T0865
Tactics TA0108
Platforms Control Server, Data Historian, Engineering Workstation, Human-Machine Interface
Version 1.1
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
G1000 ALLANITE ALLANITE utilized spear phishing to gain access into energy sector environments. 7
G0064 APT33 APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. 9 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. 8
S0093 Backdoor.Oldrea The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails. 3
S0089 BlackEnergy BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. 4
G0032 Lazarus Group Lazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. 11 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. 10
G0049 OilRig OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. 6
G0034 Sandworm Team In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. 5


ID Mitigation Description
M0949 Antivirus/Antimalware Deploy anti-virus on all systems that support external email.
M0931 Network Intrusion Prevention Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
M0921 Restrict Web-Based Content Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.
M0917 User Training Users can be trained to identify social engineering techniques and spearphishing emails.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content
DS0009 Process Process Creation


  1. Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08  

  2. Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25  

  3. Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01  

  4. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22  

  5. UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07  

  6. Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19  

  7. Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03  

  8. Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03  

  9. Jacqueline O’Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02  

  10. Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03  

  11. Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25  

  12. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. 

  13. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. 

  14. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.