title: Spearphishing Attachment (T1566.001)
id: df00tech-t1566-001
status: experimental
description: "Adversaries send targeted spearphishing emails with malicious attachments to gain initial access. Attachments may include Microsoft Office documents with macros, PDFs exploiting reader vulnerabilities, executables disguised with document icons, archive files (ZIP, ISO, IMG) containing LNK or script files, or RTF files exploiting equation editor vulnerabilities. Upon opening the attachment, the adversary's payload exploits a vulnerability or executes directly, typically spawning a child process from the email client or document handler. Common threat actors using this technique include APT28, Lazarus Group, FIN6, Cobalt Group, and Tropic Trooper."
references:
  - https://attack.mitre.org/techniques/T1566/001/
  - https://df00tech.com/detections/T1566.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1566.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Excel macros used in finance/operations departments that call cmd.exe or PowerShell for data processing or report generation
  - "Microsoft Office add-ins and COM automation tools (Power BI, Tableau connector, SAP) that spawn child processes as part of normal integration workflows"
  - IT-managed document templates that use embedded VBA macros to launch approved internal tools or scripts from known paths
  - PDF reader auto-open actions or form submission scripts in enterprise document management workflows
  - "Outlook meeting integrations (Zoom, Teams, Webex plugins) that spawn helper processes when calendar invites are processed"
level: high