title: Phishing (T1566)
id: df00tech-t1566
status: experimental
description: "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted (spearphishing) against a specific individual, company, or industry, or non-targeted such as mass malware spam campaigns. Adversaries send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or steal credentials. Phishing may also be conducted via third-party services like social media platforms, via voice-based callback lures directing victims to call a phone number and then download malware or install remote management tools, or through thread hijacking by injecting malicious content into existing email conversations. Email spoofing, manipulation of authentication headers, and abuse of compromised legitimate accounts are common evasion techniques used to bypass automated security tooling and human suspicion alike."
references:
  - https://attack.mitre.org/techniques/T1566/
  - https://df00tech.com/detections/T1566
author: df00tech
date: 2026/03/19
tags:
  - attack.t1566
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured"
  - "Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain"
  - "Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate"
  - "Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious"
  - Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms
level: high