Phishing T1566
Tactic: Initial Access
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Events covered
28 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 260 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (324 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1537 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (258 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 35 rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- CVE-2021-31979 CVE-2021-33771 Exploits
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- Disk Image Mounting Via Hdiutil - MacOS
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML File Opened From Download Folder
- HTML Help HH.EXE Suspicious Child Process
- ISO File Created Within Temp Folders
- ISO Image Mounted
- ISO or Image Mount Indicator in Recent Files
- Office Macro File Creation
- Office Macro File Creation From Suspicious Process
- Office Macro File Download
- Okta FastPass Phishing Detection
- Password Protected ZIP File Opened (Email Attachment)
- Phishing Pattern ISO in Archive
- Potential Initial Access via DLL Search Order Hijacking
- Potential Malicious Usage of CloudTrail System Manager
- Rapid creation of clients with the dynamic client registration endpoint
- Suspicious Double Extension File Execution
- Suspicious Email Delivered In Microsoft 365
- Suspicious Execution From Outlook Temporary Folder
- Suspicious Execution via macOS Script Editor
- Suspicious External WebDAV Execution
- Suspicious File Created in Outlook Temporary Directory
- Suspicious HH.EXE Execution
- Suspicious HWP Sub Processes
- Suspicious Microsoft OneNote Child Process
- Ursnif Malware C2 URL Pattern
- WebDAV Temporary Local File Creation
- Windows Registry Trust Record Modification
Elastic 55 rules
- Creation of SettingContent-ms Files
- Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish
- Downloaded Shortcut Files
- Downloaded URL Files
- Entra ID Concurrent Sign-in with Suspicious Properties
- Entra ID Illicit Consent Grant via Registered Application
- Entra ID Kali365 Default User-Agent Detected
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
- Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
- Entra ID OAuth Device Code Flow with Concurrent Sign-ins
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
- Entra ID OAuth Device Code Grant by Unusual User
- Entra ID OAuth Device Code Phishing via AiTM
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
- Entra ID OAuth Phishing via First-Party Microsoft Application
- Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)
- Entra ID Sharepoint or OneDrive Accessed by Unusual Client
- Execution of File Written or Modified by Microsoft Office
- File with Suspicious Extension Downloaded
- Google Workspace Device Registration After OAuth from Suspicious ASN
- Google Workspace Object Copied to External Drive with App Consent
- M365 AIR Investigation Signal
- M365 Azure Monitor Alert Email with Financial or Billing Theme
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
- M365 Identity OAuth Flow by User Sign-in to Device Registration
- M365 Identity OAuth Illicit Consent Grant by Rare Client and User
- M365 Identity OAuth Phishing via First-Party Microsoft Application
- M365 Identity Unusual SSO Authentication Errors for User
- M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)
- M365 Quarantine and Hygiene Signal
- M365 Threat Intelligence Signal
- Network Traffic to Rare Destination Country
- Okta FastPass Phishing Detection
- Potential CVE-2025-33053 Exploitation
- Potential Execution via FileFix Phishing Attack
- Potential Fake CAPTCHA Phishing Attack
- Potential Foxmail Exploitation
- Potential Process Injection from Malicious Document
- Potential Remote File Execution via MSIEXEC
- Remote Desktop File Opened from Suspicious Path
- Remote XSL Script Execution via COM
- Suspicious Execution from INET Cache
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Explorer Child Process
- Suspicious HTML File Creation
- Suspicious macOS MS Office Child Process
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious PDF Reader Child Process
- Unusual DNS Activity
- Unusual Execution via Microsoft Common Console File
- Unusual Network Destination Domain Name
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI
Splunk 56 rules
- Azure AD Device Code Authentication
- Detect Outlook exe writing a zip file
- Email Attachments With Lots Of Spaces
- Gdrive suspicious file sharing
- GSuite Email Suspicious Attachment
- Gsuite Email Suspicious Subject With Attachment
- Gsuite Email With Known Abuse Web Service Link
- Gsuite suspicious calendar invite
- Gsuite Suspicious Shared File Name
- Malicious Document Execution (Sysmon)
- Malicious Document Execution (Windows Event Log)
- O365 Email Reported By Admin Found Malicious
- O365 Email Reported By User Found Malicious
- O365 Safe Links Detection
- O365 Threat Intelligence Suspicious Email Delivered
- O365 ZAP Activity Detection
- Process Creating LNK file in Suspicious Location
- RDP File Executed from Outlook Temp Directory (Sysmon)
- RDP File Executed from Outlook Temp Directory (Windows Event Log)
- RDP File Written by Outlook (Sysmon)
- RDP File Written by Outlook (Windows Event Log)
- Suspicious Email Attachment Extensions
- Windows CAB File on Disk
- Windows Defender ASR Audit Events
- Windows Defender ASR Block Events
- Windows Defender ASR Rules Stacking
- Windows InProcServer32 New Outlook Form
- Windows ISO LNK File Creation
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Office Product Loaded MSHTML Module
- Windows Office Product Loading Taskschd DLL
- Windows Office Product Loading VBE7 DLL
- Windows Office Product Spawned Child Process For Download
- Windows Office Product Spawned Control
- Windows Office Product Spawned MSDT
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Office Product Spawned Uncommon Process
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Phishing PDF File Executes URL Link
- Windows Phishing Recent ISO Exec Registry
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows Universal Data Link File Creation
- Zscaler Adware Activities Threat Blocked
- Zscaler Behavior Analysis Threat Blocked
- Zscaler CryptoMiner Downloaded Threat Blocked
- Zscaler Employment Search Web Activity
- Zscaler Exploit Threat Blocked
- Zscaler Legal Liability Threat Blocked
- Zscaler Malware Activity Threat Blocked
- Zscaler Phishing Activity Threat Blocked
- Zscaler Potentially Abused File Download
- Zscaler Privacy Risk Destinations Threat Blocked
- Zscaler Scam Destinations Threat Blocked
- Zscaler Virus Download threat blocked
Kusto 86 rules
- Accessed files shared by temporary external user
- Acronis - Multiple Inboxes with Malicious Content Detected
- Cisco SEG - Malicious attachment not blocked
- Cisco SEG - Multiple suspiciuos attachments received
- Cisco SEG - Possible outbreak
- Cisco SEG - Potential phishing link
- Cisco SEG - Suspicious link
- Cisco SEG - Suspicious sender domain
- Cisco SEG - Unexpected attachment
- Cisco SEG - Unexpected link
- Cisco SEG - Unscannable attacment
- Cisco WSA - Access to unwanted site
- Contrast Blocks
- Contrast Exploits
- Contrast Probes
- Contrast Suspicious
- Corelight - Network Service Scanning Multiple IP Addresses
- Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request
- Corelight - SMTP Email containing NON Ascii Characters within the Subject
- Cross-Cloud Suspicious Compute resource creation in GCP
- Cross-Cloud Suspicious user activity observed in GCP Envourment
- CyberBlindSpot - Any Issue Detected
- Dataverse - TI map URL to DataverseActivity
- Detect Direct Send phishing emails
- Detect external user sending suspicious link to multiple users
- Detect Malicious Teams Message
- Detect Possible Teams BEC Attack by High Teams Recipients
- Detect web requests to potentially harmful files (ASIM Web Session)
- Egress Defend - Dangerous Attachment Detected
- Google DNS - Exchange online autodiscover abuse
- Google Threat Intelligence - Threat Hunting Url
- GWorkspace - Possible maldoc file name in Google drive
- KnowBe4 Defend - Dangerous Attachment Detected
- McAfee ePO - Spam Email detected
- Mimecast Secure Email Gateway - Attachment Protect
- Mimecast Secure Email Gateway - Attachment Protect
- Mimecast Secure Email Gateway - URL Protect
- Mimecast Secure Email Gateway - URL Protect
- Office ASR rule triggered from browser spawned office process.
- Okta Fast Pass phishing Detection
- Phishing link click observed in Network Traffic
- Possible Phishing with CSL and Network Sessions
- Power Apps - Bulk sharing of Power Apps to newly created guest users
- Power Apps - Multiple users access a malicious link after launching new app
- Preview - TI map Email entity to Cloud App Events
- ProofpointPOD - High risk message not discarded
- ProofpointPOD - Suspicious attachment
- RecordedFuture Threat Hunting Domain All Actors
- Red Sift - Email with URL to previously unseen domain
- Red Sift - New email with URL from previously unseen sender
- Red Sift - New email with URL from previously unseen source
- Stale last password change
- Star Blizzard C2 Domains August 2022
- Suspicious MSC File Launched
- Suspicious parentprocess relationship - Office child processes.
- T1566.002 Spearphishing Link - Rare URL Clicks
- TI map Domain entity to EmailEvents
- TI map Domain entity to EmailEvents
- TI map Domain entity to EmailUrlInfo
- TI map Domain entity to EmailUrlInfo
- TI map Email entity to AzureActivity
- TI map Email entity to AzureActivity
- TI map Email entity to Cloud App Events
- TI map Email entity to EmailEvents
- TI map Email entity to EmailEvents
- TI map Email entity to OfficeActivity
- TI map Email entity to OfficeActivity
- TI map Email entity to PaloAlto CommonSecurityLog
- TI map Email entity to PaloAlto CommonSecurityLog
- TI map Email entity to SecurityAlert
- TI map Email entity to SecurityAlert
- TI map Email entity to SecurityEvent
- TI map Email entity to SecurityEvent
- TI map Email entity to SigninLogs
- TI map Email entity to SigninLogs
- Trend Micro CAS - Infected user
- Trend Micro CAS - Multiple infected users
- Trend Micro CAS - Possible phishing mail
- Trend Micro CAS - Suspicious filename
- Trend Micro CAS - Unexpected file on file share
- Trend Micro CAS - Unexpected file via mail
- User Accessed Suspicious URL Categories
- Valimail Enforce - DMARC Policy Weakened to None
- Votiro - File Blocked in Email
- VTI - High Severity Domain Collision Detection
- Website blocked by ESET
YARA-L 4 rules
- Chrome Browser Safe Browsing User Bypass
- gmail spike in undeliverables
- Microsoft Entra ID Device code phishing attack
- Okta Phishing Detection With Fastpass Origin Check
Panther 24 rules
- AppOmni Alert Passthrough
- Azure Device Code Authentication with Broker Client
- Azure VS Code OAuth Phishing
- DNS request to denylisted domain
- GitHub Malicious Comment/Review Content
- Gmail Malicious SMTP Response
- Gmail Potential Spoofed Email Delivered
- Gsuite Attachments Downloaded from Spam Email
- Gsuite Email Bypassed Spam Filter
- GSuite Government Backed Attack
- Gsuite Link Clicked in Spam Email
- GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled
- GSuite Workspace Gmail Security Sandbox Disabled
- Malicious SSO DNS Lookup
- Malware Detected in Email
- Okta AiTM Phishing Attempt Blocked by FastPass
- Proofpoint Active Threat Campaign Detected
- Proofpoint High Impostor Score Detected
- Proofpoint Malware Detected
- Proofpoint Multiple Threats Detected
- Proofpoint Phishing Email Detected
- Proofpoint Virus Detected
- Slack Potentially Malicious File Shared
- Spam Email Surge