title: Spearphishing Attachment (T1598.002)
id: df00tech-t1598-002
status: experimental
description: "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently credentials, from targeted individuals. Unlike T1566 (execution-focused phishing), T1598.002 is a reconnaissance technique where the attachment itself—such as a credential-harvesting Office document, HTML smuggling page, or fake login portal—is designed to capture and exfiltrate user input back to the adversary. Threat actors including Dragonfly, Star Blizzard, and SideCopy have used this pattern to harvest credentials before or alongside intrusion campaigns. Detection focuses on email delivery telemetry, attachment characteristics (Office files with suspicious macros or embedded links, HTML files with form submissions), and anomalous authentication events that may indicate harvested credentials have been used."
references:
  - https://attack.mitre.org/techniques/T1598/002/
  - https://df00tech.com/detections/T1598.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1598.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate business partners sending signed invoices or HR onboarding documents via freemail addresses (contractors, freelancers)"
  - Internal IT teams sending security awareness test emails with credential-harvesting lures as part of phishing simulation programs
  - Newsletters and marketing emails with HTML attachments that contain form elements for preference updates
  - Financial institutions sending account statements as password-protected ZIP archives or PDF attachments with credential-related subjects
level: high