{
    "type": "bundle",
    "id": "bundle--c4d92fce-374c-4d96-b456-3accab472cd3",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-09T18:38:51.471Z",
            "name": "Spearphishing Attachment",
            "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "initial-access"
                }
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Engineering Workstation",
                "Human-Machine Interface",
                "Control Server",
                "Data Historian"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_data_sources": [
                "Network Traffic: Network Traffic Content",
                "File: File Creation",
                "Application Log: Application Log Content",
                "Process: Process Creation"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0865",
                    "external_id": "T0865"
                },
                {
                    "source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
                    "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
                    "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
                },
                {
                    "source_name": "Enterprise ATT&CK October 2019",
                    "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ",
                    "url": "https://attack.mitre.org/techniques/T1193/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}