T1566.001 is a sub-technique of T1566 (Phishing) and sits exclusively within the Initial Access tactic. Where generic phishing casts a wide net, spearphishing is surgical: the adversary has conducted reconnaissance on the target, understands their role and context, and crafts a lure that feels credible enough to act on. The attachment is the delivery vehicle, and execution depends on the target opening it — typically through T1204 (User Execution).
The technique has been a fixture of advanced persistent threat operations for well over a decade and remains heavily used in 2025 because it scales, evades many automated defenses, and exploits a vulnerability that patches cannot fix: human judgment under pressure. The MITRE ATT&CK entry for T1566.001 lists over one hundred threat groups and campaigns that have leveraged it, spanning government espionage, critical infrastructure attacks, ransomware delivery, and financial crime.
How Spearphishing Attachment Works
The attack chain begins well before the email is sent. The adversary collects targeting information — job title, organizational role, recent projects, trusted colleagues and vendors — through open-source intelligence, prior breaches, or reconnaissance infrastructure. This intelligence shapes both the lure content and the choice of attachment format.
The attachment itself can take several forms, each with different execution paths. Macro-enabled Office documents (.docm, .xlsm) were the dominant vehicle for years, relying on victims enabling macros or exploiting macro execution policy weaknesses. Microsoft's 2022 decision to block macros by default in files downloaded from the internet forced adversaries to adapt, leading to a marked shift toward ISO images, .lnk files, and HTML smuggling techniques that bypass the Mark of the Web (MotW) attribute. PDF files with embedded JavaScript or exploit code targeting reader vulnerabilities remain common, particularly when the adversary wants to appear more professional. Archives — ZIP, RAR, 7z — serve two purposes: they can contain executables or scripts, and when password-protected, they prevent automated email gateway inspection of the contents. Executables with spoofed icons and double extensions (e.g., Invoice.pdf .exe) exploit the Windows default behavior of hiding known file extensions.
The email body typically provides a plausible pretext: a contract requiring signature, an invoice from a known vendor, a job posting, a security alert, or urgent HR correspondence. Instructions to enable macros, enter an archive password, or disable security warnings are framed as routine steps the target must take to view the document. In more sophisticated campaigns, the lure references specific real-world events, names colleagues, or spoofs a sender address within the target's own organization.
Microsoft's 2022 block on macros in internet-sourced Office files significantly reduced one delivery vector, but adversaries responded with container formats (ISO, VHD) that strip MotW from enclosed files, and with LNK-based loaders. Defenders should not assume macro restrictions alone close this technique.
Real-World Case Studies
Sandworm and the 2015 Ukraine Power Grid Attack
One of the most consequential uses of T1566.001 on record involved Russia-linked Sandworm Team (APT44) targeting Ukrainian energy distribution companies beginning in mid-2014. The adversaries sent spearphishing emails to utility staff with malicious Microsoft Office attachments; when opened, the documents used macros to install the BlackEnergy3 backdoor. The malware persisted on operational networks for roughly six months before Sandworm triggered simultaneous breaker openings on December 23, 2015, cutting power to approximately 230,000 customers across multiple regions. The attachment-based initial access was the first link in a chain that ended in the first publicly confirmed cyberattack to cause a physical power outage.
APT28 and Weaponized Office Lures Against Government Targets
Russia-linked APT28 (Fancy Bear) has employed T1566.001 extensively across its operations against NATO governments, defense organizations, and political targets. In a documented 2018 campaign, APT28 sent spearphishing emails spoofed to appear from a legitimate defence industry publication, attaching an Excel spreadsheet disguised as an events calendar. The document contained a macro that, when enabled by the target, changed the displayed font color to reveal apparent content while silently deploying an implant. Similar campaigns targeting European governmental organizations used RAR attachments containing exploit documents for CVE-2017-0199 and related Microsoft Office flaws. APT28 has continued refining these lures through 2024, adapting pretexts to current geopolitical events including the BRICS Summit and ongoing conflict in Ukraine.
Lazarus Group Weaponized Documents Against Defense and Nuclear Targets
North Korea-linked Lazarus Group has sustained a multi-year campaign, tracked in part as Operation DreamJob (DeathNote), that uses spearphishing attachments disguised as job offer packages and skills assessments from credible aerospace, defense, and technology organizations. In campaigns active through 2024 and into 2025, Lazarus sent archive files containing Word documents to employees at defense contractors and nuclear-sector organizations in Brazil, Vietnam, and South Korea. Opening the documents initiated a multi-stage infection chain delivering variants of backdoors including Comebacker and CookiePlus. Kaspersky researchers confirmed that at least two employees at the same nuclear-related organization were targeted within a single month, with archive lures impersonating prominent aerospace companies including Airbus and IIT Kanpur.
Detection Strategies
Detection for T1566.001 spans the email delivery layer, the endpoint, and network telemetry. No single control is sufficient; layered visibility across all three is necessary to reliably surface this technique.
Email Gateway and Attachment Analysis
# Splunk — identify emails with high-risk attachment extensions
# Adjust field names for your mail log source (e.g. O365, Proofpoint, Mimecast)
index=email_logs
| where match(attachment_name, "(?i)\.(doc[mx]?|xls[mx]?|ppt[mx]?|pdf|iso|lnk|vhd|7z|rar|zip)$")
| eval risk=case(
match(attachment_name,"(?i)\.(lnk|iso|vhd)$"), "high",
match(attachment_name,"(?i)\.(doc[mx]|xls[mx]|ppt[mx])$"), "medium",
true(), "low"
)
| where risk="high" OR (risk="medium" AND NOT like(sender_domain, "%known-domain.com"))
| stats count by sender, recipient, attachment_name, risk
| sort - countBehavioral Indicators
| Indicator | What It Means |
|---|---|
Office application spawning cmd.exe, powershell.exe, or wscript.exe |
Classic macro or exploit execution pattern; legitimate Office use rarely produces these child processes |
| PDF reader process initiating outbound network connection | Indicative of embedded JavaScript or exploit code contacting a C2 or staging server |
Archive tool (7z, WinRAR) extracting directly to %TEMP% or %APPDATA% |
Common staging behavior when an archive-based lure unpacks a payload to a writable system directory |
| File with MotW attribute absent despite having been received via email | Suggests the file was delivered inside a container format (ISO, VHD) that strips MotW from enclosed content |
Newly created .lnk file in user-writable directory executing unusual target paths |
LNK-based loaders are increasingly used as a post-macro-block delivery method |
Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) are high-value data sources for detecting post-open activity. Enriching these with parent process name and command line arguments substantially reduces false positives when hunting for Office-spawned shells.
Known Threat Actors Using T1566.001
T1566.001 appears in the documented TTPs of a significant number of tracked threat groups. The following represent some of the most consistently documented users of this technique across nation-state and cybercriminal categories.
- APT28 / Fancy Bear (Russia, GRU Unit 26165) — Sustained use of macro-enabled Office documents and RAR attachments against NATO governments, political organizations, and defense targets; active through 2024 with lures tied to current geopolitical events
- Sandworm / APT44 (Russia, GRU Unit 74455) — Used BlackEnergy3-laden Office attachments in the 2015 Ukraine power grid attack; continued spearphishing operations against Ukrainian and NATO-aligned organizations
- Lazarus Group (North Korea, RGB) — Operation DreamJob and related campaigns use job-offer archives and weaponized Word documents against defense, nuclear, financial, and cryptocurrency targets globally
- Mustang Panda / Earth Preta (China) — Prolific use of Office documents and archive lures against government, diplomatic, and NGO targets across Asia, Europe, and Australia; active with evolved tooling through 2025
- Kimsuky (North Korea) — Spearphishing with malicious attachments targeting South Korean government entities, think tanks, and academics; frequently impersonates known institutions and individuals
- TA505 / Cl0p (cybercriminal) — High-volume campaigns deploying malicious Office attachments at scale to deliver ServHelper, FlawedGrace, and ultimately ransomware payloads across financial and healthcare sectors
Defensive Recommendations
- Block macros from internet-sourced files at the policy level: Apply Group Policy or Intune configuration to enforce macro blocking for files with the Mark of the Web attribute across all Office applications. This follows Microsoft's own 2022 default change and should be explicitly enforced rather than relying on user consent prompts.
- Implement attachment sandboxing at the email gateway: Route all inbound attachments through a detonation sandbox before delivery. Focus on high-risk extensions (Office documents, PDFs, archives, LNK, ISO, VHD) and inspect both static properties and dynamic behavior during detonation.
- Restrict dangerous file types at the perimeter: Configure email gateway policies to quarantine or reject ISO, VHD, and LNK attachments, which have become primary delivery vehicles since macro blocking became widespread. Archive password prompts in the email body should trigger additional scrutiny.
- Enable and tune process creation logging: Deploy Sysmon or equivalent EDR telemetry with rules alerting on Office applications, PDF readers, and archive utilities spawning shell interpreters or making outbound network connections. Correlate with email delivery events where possible.
- Conduct targeted security awareness training: Standard phishing awareness training is insufficient against well-crafted spearphishing lures. Supplement with role-specific simulations that reflect the actual pretexts used against your sector — job offers for technical staff, contract documents for finance, and policy updates for administrators.
- Apply attack surface reduction rules: On Windows endpoints, enable Microsoft Defender ASR rules that block Office applications from creating child processes, block Office applications from injecting into other processes, and block executable content from email and webmail clients.
- Enforce least-privilege for end-user accounts: Reducing the privileges available to a user who opens a malicious attachment limits the blast radius. Standard users cannot install persistent mechanisms, write to system directories, or escalate privileges without additional exploitation steps that introduce additional detection opportunities.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1566.001 |
| Technique Name | Phishing: Spearphishing Attachment |
| Parent Technique | T1566 Phishing |
| Tactic | Initial Access (TA0001) |
| Platforms | Linux, Windows, macOS |
| Data Sources | Application Log: Application Log Content; Network Traffic: Network Traffic Content; Network Traffic: Network Traffic Flow |
| Mitigations | M1049 Antivirus/Antimalware, M1031 Network Intrusion Prevention, M1021 Restrict Web-Based Content, M1054 Software Configuration, M1017 User Training |
| Version | 2.2 (Last Modified: October 24, 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1566/001 |
Frequently Asked Questions
What is T1566.001 Spearphishing Attachment?
T1566.001 is a MITRE ATT&CK sub-technique under Initial Access in which adversaries send targeted emails with malicious file attachments — typically weaponized Office documents, PDFs, or archives — designed to execute a payload when opened by the recipient.
How do adversaries use spearphishing attachments?
Adversaries craft convincing lure emails tailored to the target's role or organization, attach a weaponized file such as a macro-enabled Word document or a PDF with an embedded exploit, and rely on the target opening the file to execute the payload. They frequently manipulate file extensions, use password-protected archives to evade email gateway scanning, and include persuasive instructions to bypass security warnings.
How can organizations detect spearphishing attachments?
Detection relies on monitoring email gateways for suspicious attachment types and macro-enabled documents, correlating process creation events where Office applications or PDF readers spawn child processes such as cmd.exe or PowerShell, alerting on unusual outbound network connections from document-rendering processes, and reviewing SIEM logs for Mark of the Web bypass indicators.
Sources and References
- MITRE ATT&CK — T1566.001 Phishing: Spearphishing Attachment: attack.mitre.org
- CISA — ICS Alert IR-ALERT-H-16-056-01 Cyber-Attack Against Ukrainian Critical Infrastructure: cisa.gov
- Kaspersky GReAT — Lazarus targets nuclear organization with CookiePlus malware: kaspersky.com
- Picus Security — Inside Sandworm: Decade of Cyber Sabotage and Espionage Activity: picussecurity.com
- GBHackers — Lazarus Group Deploys Weaponized Documents Against Aerospace & Defense: gbhackers.com
- Red Canary — Atomic Red Team T1566.001 Test Procedures: github.com/redcanaryco