title: Spearphishing via Service (T1566.003)
id: df00tech-t1566-003
status: experimental
description: "Adversaries may send spearphishing messages via third-party services such as LinkedIn, Facebook, WhatsApp, Telegram, Discord, and Microsoft Teams rather than enterprise email channels. These platforms carry less-strict security policies than enterprise email, enabling adversaries to bypass enterprise email security controls entirely. Threat actors build rapport with targets on social platforms — posing as job recruiters (FIN6, Lazarus Group on LinkedIn), fake vendors, or IT support personnel (Storm-1811 via Teams) — before delivering malicious files or links through personal webmail, file-sharing services, or the messaging platform directly. Notable campaigns include FIN6 using LinkedIn fake job lures to distribute the More_eggs backdoor, ToddyCat distributing the Ninja loader via Telegram ZIP archives, EXOTIC LILY weaponizing legitimate file-sharing service email notifications, Lazarus Group's Contagious Interview campaign using fake job offers on social media to deliver ClickFake/ClickFix payloads, and Storm-1811 impersonating IT support via Microsoft Teams vishing calls to deploy Black Basta ransomware. Detection is challenging because the delivery channel is external to the enterprise; this detection focuses on the post-delivery execution artifacts observable in endpoint telemetry."
references:
  - https://attack.mitre.org/techniques/T1566/003/
  - https://df00tech.com/detections/T1566.003
author: df00tech
date: 2026/03/12
tags:
  - attack.t1566.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)"
  - IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
  - "Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory"
  - Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
  - HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms
level: high