analyst @ nohacky :~/mitre $
cat / mitre / t1566
analyst@nohacky:~/mitre/t1566-phishing.html
reading mode 20 min read
technique_id T1566
category MITRE ATT&CK
tactics
Initial Access
published March 2026

T1566: Phishing

Adversaries send crafted messages — via email, voice, SMS, or third-party platforms — to trick targets into revealing credentials, executing malicious code, or granting access to systems. Phishing remains the dominant initial access vector in modern intrusions, responsible for 16% of all breach incidents according to the Verizon DBIR 2025, with an average cost of $4.8 million per phishing-caused breach.

Phishing is the broadest and most enduring social engineering technique in the ATT&CK framework. It encompasses everything from mass malspam campaigns distributing commodity malware to surgically targeted spearphishing operations crafted for a single individual. What unites every variant is the same core mechanic: the attacker manipulates a human into performing an action that compromises security — clicking a link, opening an attachment, providing credentials, or following instructions over the phone.

The technique has evolved significantly. Modern phishing campaigns exploit trusted cloud services (SharePoint, OneDrive, Google Drive) for payload delivery, use adversary-in-the-middle (AiTM) proxies to intercept sessions in real time, deploy QR codes to redirect victims from secured corporate endpoints to unprotected mobile devices, and leverage AI-generated voice deepfakes for vishing attacks. The sophistication gap between nation-state operations and criminal campaigns continues to narrow.

How Phishing Works

The phishing attack chain follows a consistent pattern regardless of the specific delivery mechanism. The adversary conducts reconnaissance on the target — harvesting names, roles, email addresses, organizational structure, current projects, and business relationships from LinkedIn, corporate websites, SEC filings, and social media. This information shapes the pretext: the scenario the attacker constructs to make the phishing message believable.

The adversary then crafts and delivers the message. This could be an email with a malicious attachment disguised as an invoice, a link to a credential harvesting page mimicking a corporate login portal, a voice call impersonating the IT help desk, or a QR code embedded in what appears to be a routine internal communication. The message is designed to bypass both technical controls (email gateways, URL filters) and human judgment (urgency, authority, trust).

When the target takes the intended action, the adversary gains what they need — credentials that unlock the door (leading to T1078 Valid Accounts), a foothold through malware execution, or direct access granted by the victim under social pressure. The speed at which the attacker moves after the phish determines whether the intrusion remains a single compromised account or escalates into a full environment breach.

Sub-Techniques

T1566.001 — Spearphishing Attachment

The adversary sends a targeted email with a malicious file attached — typically a weaponized Office document with embedded macros, a PDF with an exploit, an ISO or IMG disk image containing an executable, or a compressed archive with a disguised payload. The attachment executes malicious code when the victim opens it, establishing a foothold on the target system. This sub-technique requires the victim to deliberately open the file, which is why the pretext and social engineering component are critical to success.

Threat actors have adapted to Microsoft's decision to block macros in documents from the internet by default. Modern campaigns increasingly use OneNote files with embedded scripts, ISO/IMG disk images that bypass Mark-of-the-Web protections, and LNK shortcut files that execute PowerShell commands. The shift away from macro-based attacks has not reduced attachment phishing — it has diversified the file types used.

T1566.002 — Spearphishing Link

Instead of an attachment, the adversary includes a link that directs the victim to a malicious destination. This could be a credential harvesting page that clones a legitimate login portal, a site hosting a drive-by download exploit, or a legitimate cloud service (Google Drive, Dropbox, SharePoint) that has been weaponized to host the payload. Link-based phishing is harder for email gateways to block because the link may point to a legitimate domain at the time of delivery, with the malicious content only activated after the email passes inspection.

AiTM phishing attacks represent the most dangerous evolution of this sub-technique. The attacker deploys a transparent reverse proxy between the victim and the real login page. The victim authenticates normally — including completing MFA — and the proxy captures the authenticated session cookie. The attacker replays that cookie to access the account without ever needing the password or MFA token. This technique has been used at scale against Microsoft 365 environments.

Related: AiTM vs. MiTM — Understanding the Attack That Breaks MFA

T1566.003 — Spearphishing via Service

The adversary delivers the phishing message through a third-party service rather than corporate email — social media direct messages, collaboration platforms (Slack, Teams, Discord), job recruitment sites (LinkedIn), or other trusted communication channels. This vector exploits the trust users place in these platforms and often bypasses corporate email security controls entirely because the message never passes through the organization's mail gateway.

A 2024 report from Abnormal Security documented a 350% increase in phishing attacks leveraging file-sharing services, with threat actors hosting malicious content on platforms like Google Drive, Dropbox, and OneDrive that are typically whitelisted by security tools.

T1566.004 — Spearphishing Voice (Vishing)

The adversary uses phone calls or voice messages to socially engineer the victim into providing credentials, installing remote access tools, or performing actions that compromise security. Vishing is effective because it creates real-time pressure — the victim cannot pause to analyze a voice call the way they might scrutinize an email. The caller often impersonates IT support, a manager, a vendor, or law enforcement.

Vishing has become a signature tactic for several high-profile threat groups. Scattered Spider routinely calls IT help desks to request password resets and MFA device enrollments for privileged accounts. The ShinyHunters group used a single vishing call to compromise Figure Technology Solutions, bypassing MFA in real time and ultimately accessing nearly one million customer records.

Related: Your Blockchain Bank Got Hacked by a Phone Call — The Figure Data Breach

warning

AI-generated voice deepfakes are making vishing harder to detect. In January 2026, the FBI issued a FLASH alert warning that threat actors are using cloned voices of executives and IT personnel to add credibility to vishing calls targeting corporate environments.

Real-World Case Studies

Kimsuky QR Code Phishing (January 2026)

North Korea's Kimsuky group (APT43) was documented by the FBI targeting U.S. think tanks and academic institutions with spearphishing emails containing malicious QR codes. The QR codes redirected victims from secured corporate endpoints to less-protected mobile devices, where credential harvesting pages captured login credentials. This technique exploits the gap between enterprise email security (which scans links and attachments) and mobile device security (which is typically less rigorous), bypassing corporate email filtering by moving the attack surface to the victim's phone.

AiTM Campaigns Against Microsoft 365

Large-scale AiTM phishing campaigns have targeted Microsoft 365 environments across financial services, healthcare, and government sectors. The attacker sends a phishing email containing a link to a transparent proxy server. When the victim clicks the link and authenticates — including completing MFA via push notification, SMS, or authenticator app — the proxy captures the session cookie. The attacker uses this cookie to access the victim's mailbox, harvest additional credentials, and launch secondary phishing campaigns from the compromised account (a technique known as business email compromise). Because the attacker holds a valid authenticated session, MFA provides no protection after the initial token is stolen.

Royal Ransomware Callback Phishing

Royal ransomware operators pioneered a callback phishing approach where the initial email contains no malicious links or attachments — only a phone number. The email impersonates a subscription service (often claiming to be a streaming platform or software vendor) and states that a charge is about to be billed. When the victim calls the number, a social engineer instructs them to install legitimate remote access software (AnyDesk, ConnectWise) to "resolve" the billing issue. The installed RMM tool gives the attacker direct access to the victim's system. This approach bypasses every email security control because the email itself contains nothing malicious.

Scattered Spider IT Help Desk Vishing

Scattered Spider (UNC3944) has repeatedly compromised major enterprises by calling IT help desks and impersonating employees. Using information gathered from LinkedIn and social media, the callers provide enough personal details to pass identity verification, then request password resets and new MFA device enrollments. This social engineering approach was central to the attacks on MGM Resorts and Caesars Entertainment, where the group gained domain admin credentials and ultimately deployed ransomware.

Detection Strategies

Phishing detection spans two domains: preventing the message from reaching the target (pre-delivery), and identifying when a phishing attack has succeeded (post-delivery). Post-delivery detection is critical because no email gateway catches everything.

Email Header and Authentication Analysis

Check What to Look For
SPF Sender Policy Framework validation failure — the sending IP is not authorized for the domain in the From header
DKIM DomainKeys Identified Mail signature mismatch — the email content was modified in transit or the signature is invalid
DMARC Domain-based Message Authentication alignment failure — SPF or DKIM does not align with the From domain
Reply-To Reply-To address differs from the From address — a common indicator of phishing where the attacker wants replies directed elsewhere
X-Originating-IP Sending IP resolves to a VPS provider, residential proxy, or Tor exit node rather than the expected mail infrastructure
Received Hop chain shows routing through unexpected mail servers, foreign infrastructure, or known phishing relay networks

Post-Delivery Detection Queries

# Detect successful phishing: user clicks link then immediately
# authenticates from an unusual location or device
# Correlate URL click events with subsequent authentication anomalies

index=o365 OR index=azure_signin
| eval event_type=case(
    sourcetype="o365:management:activity" AND Operation="UrlClickedEvent", "click",
    sourcetype="azure:signin", "auth"
  )
| stats earliest(_time) as click_time by user, event_type, src_ip
| xyseries user event_type click_time
| where isnotnull(click) AND isnotnull(auth)
| eval delta_seconds = auth - click
| where delta_seconds > 0 AND delta_seconds < 300
# Detect inbox rule creation post-compromise
# Attackers often create mail rules to hide evidence of compromise
# by forwarding or deleting security notifications

index=o365 sourcetype="o365:management:activity"
    Operation="New-InboxRule" OR Operation="Set-InboxRule"
| search Parameters.DeleteMessage=True
    OR Parameters.MoveToFolder="RSS Feeds"
    OR Parameters.ForwardTo=*
| table _time, UserId, ClientIP, Parameters.Name,
    Parameters.ForwardTo, Parameters.DeleteMessage
# Detect suspicious OAuth consent grants
# AiTM attacks often result in malicious app consent for persistent access

index=azure_audit Category="ApplicationManagement"
    OperationName="Consent to application"
| stats count by InitiatedBy.user.userPrincipalName,
    TargetResources{}.displayName, TargetResources{}.modifiedProperties{}
| where count=1
| sort -_time
note

Vishing attacks leave no email artifacts. Detection relies on monitoring for anomalous help desk activity — password resets for privileged accounts, MFA device enrollments outside normal patterns, and new remote access tool installations following inbound calls to the help desk. Logging all help desk identity verification attempts with timestamps enables retroactive investigation.

Known Threat Actors

T1566 is used by the broadest range of threat actors of nearly any ATT&CK technique — from commodity malware operators running mass campaigns to the most sophisticated nation-state groups conducting targeted espionage. The following groups are documented by MITRE and commercial threat intelligence as relying on phishing as a primary initial access method:

  • Kimsuky / APT43 (North Korea) — Spearphishing with QR codes, credential harvesting pages, and malicious attachments targeting think tanks, academia, and government
  • APT42 (Iran) — Highly targeted spearphishing campaigns against journalists, activists, and policy researchers with credential harvesting and surveillance malware
  • APT29 / Nobelium (Russia) — Sophisticated spearphishing using compromised legitimate email accounts and trusted cloud services for payload delivery
  • APT28 / Fancy Bear (Russia) — Spearphishing with weaponized documents and credential harvesting targeting government and defense sectors
  • Scattered Spider / UNC3944 — Vishing and SMS phishing (smishing) targeting IT help desks for credential and MFA reset attacks
  • Royal / BlackSuit Ransomware — Callback phishing campaigns that use phone-based social engineering to install remote access tools
  • Emotet — Thread hijacking phishing where the malware replies to existing email conversations with malicious attachments, exploiting established trust
  • INC Ransom — Spearphishing with malicious attachments for initial access in ransomware operations
  • FIN4 — Spearphishing targeting financial sector personnel to hijack email communications for insider trading intelligence

Defensive Recommendations

  1. Implement and enforce DMARC with a reject policy: Configure SPF, DKIM, and DMARC for all organizational domains. A DMARC policy of p=reject instructs receiving mail servers to block messages that fail authentication alignment, preventing domain spoofing at the protocol level.
  2. Deploy phishing-resistant MFA: FIDO2 security keys and certificate-based authentication are not vulnerable to AiTM session hijacking because the authentication is bound to the legitimate origin. Push notifications, SMS codes, and TOTP tokens can all be intercepted by proxy-based attacks.
  3. Enable Safe Links and Safe Attachments (or equivalent): Time-of-click URL rewriting and sandbox detonation of attachments catch threats that were clean at delivery but weaponized afterward. This is critical for defeating delayed-detonation phishing campaigns.
  4. Restrict OAuth app consent: Configure Azure AD / Entra ID to require admin approval for third-party application consent. AiTM attackers frequently register malicious OAuth apps for persistent access that survives password resets.
  5. Implement Conditional Access policies: Require compliant devices, restrict authentication to known locations and IP ranges, and block legacy authentication protocols that do not support MFA.
  6. Harden the help desk against vishing: Require multi-factor identity verification for password resets and MFA device changes — not just knowledge-based questions. Log all verification attempts. Flag and investigate reset requests for privileged accounts.
  7. Train users with simulated phishing: Regular phishing simulations calibrated to current threat actor techniques (QR codes, callback phishing, file-sharing lures) build recognition without creating a blame culture. Focus metrics on reporting rates, not click rates.
  8. Monitor for post-compromise indicators: Inbox rule creation, mail forwarding changes, OAuth app consent grants, and unusual sign-in patterns are more reliable indicators of successful phishing than attempting to detect the phishing message itself.

MITRE ATT&CK Mapping

Field Value
Technique IDT1566
Technique NamePhishing
TacticInitial Access
PlatformsWindows, Linux, macOS, Identity Provider, Office Suite, SaaS, Google Workspace
Sub-TechniquesT1566.001 Spearphishing Attachment, T1566.002 Spearphishing Link, T1566.003 Spearphishing via Service, T1566.004 Spearphishing Voice
Data SourcesApplication Log (Mail Server), Network Traffic (Content, Flow), File (Creation)
MitigationsUser Training, Software Configuration (email authentication), Antivirus/Antimalware, Network Intrusion Prevention
MITRE Referenceattack.mitre.org/techniques/T1566

Sources and References

  • MITRE ATT&CK — T1566 Phishing: attack.mitre.org
  • Verizon — 2025 Data Breach Investigations Report: verizon.com
  • IBM — Cost of a Data Breach Report 2025: ibm.com
  • FBI — FLASH Alert on Kimsuky QR Code Phishing (January 2026): ic3.gov
  • Abnormal Security — File-Sharing Phishing Report (2024): abnormalsecurity.com
— end of briefing