This site has been deprecated in favor of and will remain in place until 11/1/22.

Spearphishing Attachment

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Spearphishing Attachment
ID T0865
Tactic Initial Access
Data Sources Application Log: Application Log Content, Network Traffic: Network Traffic Content
Asset Engineering Workstation, Human-Machine Interface, Control Server, Data Historian


Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.1

A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments.2

Procedure Examples

  • ALLANITE utilized spear phishing to gain access into energy sector environments.3
  • APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.4 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.5
  • Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.67 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America.89
  • Dragonfly conducted a targeted phishing campaign against energy sector executives and senior personnel. Deceptive subject lines were used to portray a high importance. Malicious PDFs were then used to infect the user’s device.10
  • HEXANE has used malicious documents to drop malware and gain access into an environment.11
  • Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads.12 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.13
  • OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.14
  • In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.15
  • The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.16
  • BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments.17


  • Network Intrusion Prevention - Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
  • Restrict Web-Based Content - Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.
  • User Training - Users can be trained to identify social engineering techniques and spearphishing emails.