Phishing T1566
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Events covered
27 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 83 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (44 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (670 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (155 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 25 rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- CVE-2021-31979 CVE-2021-33771 Exploits
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML File Opened From Download Folder
- HTML Help HH.EXE Suspicious Child Process
- ISO File Created Within Temp Folders
- ISO Image Mounted
- ISO or Image Mount Indicator in Recent Files
- Office Macro File Creation
- Office Macro File Creation From Suspicious Process
- Office Macro File Download
- Password Protected ZIP File Opened (Email Attachment)
- Phishing Pattern ISO in Archive
- Potential Initial Access via DLL Search Order Hijacking
- Suspicious Double Extension File Execution
- Suspicious Execution From Outlook Temporary Folder
- Suspicious File Created in Outlook Temporary Directory
- Suspicious HH.EXE Execution
- Suspicious HWP Sub Processes
- Suspicious Microsoft OneNote Child Process
- WebDAV Temporary Local File Creation
- Windows Registry Trust Record Modification
Elastic 23 rules
- Creation of SettingContent-ms Files
- Downloaded Shortcut Files
- Downloaded URL Files
- Execution of File Written or Modified by Microsoft Office
- File with Suspicious Extension Downloaded
- Potential CVE-2025-33053 Exploitation
- Potential Execution via FileFix Phishing Attack
- Potential Fake CAPTCHA Phishing Attack
- Potential Foxmail Exploitation
- Potential Process Injection from Malicious Document
- Potential Remote File Execution via MSIEXEC
- Remote Desktop File Opened from Suspicious Path
- Remote XSL Script Execution via COM
- Suspicious Execution from INET Cache
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Explorer Child Process
- Suspicious HTML File Creation
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious PDF Reader Child Process
- Unusual Execution via Microsoft Common Console File
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI
Splunk 30 rules
- Detect Outlook exe writing a zip file
- Malicious Document Execution (Sysmon)
- Malicious Document Execution (Windows Event Log)
- Process Creating LNK file in Suspicious Location
- RDP File Executed from Outlook Temp Directory (Sysmon)
- RDP File Executed from Outlook Temp Directory (Windows Event Log)
- RDP File Written by Outlook (Sysmon)
- RDP File Written by Outlook (Windows Event Log)
- Windows CAB File on Disk
- Windows Defender ASR Audit Events
- Windows Defender ASR Block Events
- Windows Defender ASR Rules Stacking
- Windows InProcServer32 New Outlook Form
- Windows ISO LNK File Creation
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Office Product Loaded MSHTML Module
- Windows Office Product Loading Taskschd DLL
- Windows Office Product Loading VBE7 DLL
- Windows Office Product Spawned Child Process For Download
- Windows Office Product Spawned Control
- Windows Office Product Spawned MSDT
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Office Product Spawned Uncommon Process
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Phishing PDF File Executes URL Link
- Windows Phishing Recent ISO Exec Registry
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows Universal Data Link File Creation