Skip to content

T1566.003 Spearphishing via Service

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that’s running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it’s something they were expecting. If the payload doesn’t work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

Item Value
ID T1566.003
Sub-techniques T1566.001, T1566.002, T1566.003
Tactics TA0001
Platforms Linux, Windows, macOS
Version 2.0
Created 02 March 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0130 Ajax Security Team Ajax Security Team has used various social media channels to spearphish victims.7
G0016 APT29 APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.3
G1012 CURIUM CURIUM has used social media to deliver malicious files to victims.8
G0070 Dark Caracal Dark Caracal spearphished victims via Facebook and Whatsapp.5
G1011 EXOTIC LILY EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.4
G0037 FIN6 FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.6
G0032 Lazarus Group Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.12
G0059 Magic Hound Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.91011
G0049 OilRig OilRig has used LinkedIn to send spearphishing links.2
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.1413
G0112 Windshift Windshift has used fake personas on social media to engage and target victims.1


ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can also automatically quarantine suspicious files.
M1021 Restrict Web-Based Content Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1017 User Training Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content


  1. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. 

  2. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  3. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  4. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  5. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  6. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  7. Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020. 

  8. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018. 

  9. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020. 

  10. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. 

  11. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. 

  12. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  13. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.