T1598 , Reconnaissance

Phishing for Information

Adversaries trick targets into divulging credentials and sensitive data through deceptive emails, fake portals, malicious links, and voice calls , the most common attack vector worldwide...

01001110 01000101 01010100 00100000 00110101 00110001 00111001 00111000

PHISH CREDENTIALS HARVEST LOGIN FAKE PASSWORD USERNAME STEAL EXFIL

SMTP IMAP POP3 EXCHANGE O365 GMAIL OUTLOOK YAHOO PROTONMAIL

0xDEAD 0xBEEF 0xCAFE 0x4142 credential harvest phish recon

URGENT VERIFY UPDATE SECURE ALERT WARNING IMPORTANT ACTION REQUIRED

XSS CSRF SSRF RFI LFI SQLi XSS CSRF token session cookie auth

SPEAR WHALE VISHING SMISHING ANGLER PRETEXTING BAITING TAILGATING

01010111 01000001 01010010 01001110 00100000 01001001 01001110 01000111

DKIM SPF DMARC PTR MX A AAAA CNAME TXT SOA NS reverse proxy

BOTNET C2 CC PANEL DROPPER LOADER STAGER BEACON SHELLCODE ROP

MFA 2FA TOTP HOTP SMS PUSH BIO FIDO2 WEBAUTHN YUBIKEY PKCE

SOC SIEM EDR XDR NDR SOAR UEBA DLP CASB ZTNA IAM PAM WAF IDS

Spearphishing

Credential Theft

Fake Portals

Domain Spoofing

Training

MFA Enabled

// 01 , Why It Matters

The #1 Attack Vector in Cybersecurity

Phishing is not a new threat, but it remains the most effective and widespread method adversaries use to breach organizations. According to the latest data, 90% of cyberattacks begin with a phishing email, and the volume of attacks continues to accelerate year after year. The FBI's Internet Crime Complaint Center (IC3) reported $2.77 billion in Business Email Compromise (BEC) losses in 2024 alone, making it the costliest form of cybercrime in the United States.

The Anti-Phishing Working Group (APWG) recorded 3.8 million unique phishing sites in 2025, with an estimated 3.4 billion phishing emails sent daily worldwide. The attacks have become increasingly sophisticated, leveraging AI-generated content, deepfakes, and multi-channel approaches that combine email with voice calls (vishing) and SMS (smishing).

What makes phishing especially dangerous under the MITRE ATT&CK framework is that it serves as a reconnaissance technique (T1598) , adversaries use it not just to steal credentials directly, but to gather actionable intelligence about targets before launching more destructive operations. Even a single successful phishing attempt can provide attackers with the information they need to compromise entire networks.

90%

of cyberattacks start with phishing

3.4B

phishing emails sent daily (2025)

$2.77B

US BEC losses in 2024 (FBI)

3.8M

unique phishing sites in 2025

57%

of orgs face phishing weekly/daily

57.9%

increase in attacks from compromised accounts (2024-2025)

Official Resources & References

The following authoritative sources provide deeper insights into phishing threats, statistics, and defensive recommendations:

CISA.gov , Phishing Guidance NIST.gov , Cybersecurity Framework APWG.org , Phishing Trends Report CSO Online , What Is Phishing MITRE ATT&CK , T1598 FBI IC3 , Business Email Compromise

Related MITRE ATT&CK Techniques

T1598 often works in combination with other reconnaissance techniques. Attackers may gather victim identity information, scan networks for vulnerabilities, or collect host details before crafting targeted phishing campaigns.

▶ T1595 , Active Scanning ▶ T1589 , Gather Victim Identity Info ▶ T1592 , Gather Victim Host Info

// 02 , Key Terms & Concepts

Understanding the Phishing Landscape

Phishing

Definition: Phishing is a social engineering attack where adversaries impersonate trusted entities , such as banks, colleagues, government agencies, or service providers , to trick targets into revealing sensitive information like passwords, credit card numbers, or personal data. It can be delivered via email (email phishing), text messages (smishing), voice calls (vishing), or even social media messages.

Everyday Analogy

Imagine someone knocks on your door wearing a uniform that looks exactly like your bank's delivery service. They have a clipboard, a badge, and they say they need your account number to "verify a suspicious transaction." The uniform is fake, the badge is counterfeit, and the "suspicious transaction" doesn't exist. But if you're in a rush or feeling worried, you might hand over your information without thinking. That's phishing , deception dressed up as legitimacy.

Core Concepts & Terminology

Term	Definition	MITRE Mapping
Spearphishing	Targeted phishing aimed at a specific individual or organization using personalized information	T1598 (all sub-techniques)
Whaling	Spearphishing targeting high-value individuals like CEOs, CFOs, or other executives	T1598.001 / T1598.003
Business Email Compromise (BEC)	Attacker impersonates a business partner or executive to redirect payments or steal data	T1598.001 / T1598.003
Vishing (Voice Phishing)	Phone-based phishing where attackers impersonate trusted callers to extract information	T1598.004
Smishing (SMS Phishing)	Text message phishing using fake alerts, package notifications, or account warnings	T1598.003
Clone Phishing	Copying a legitimate previously-delivered email and replacing links/attachments with malicious ones	T1598.003
Angler Phishing	Attackers create fake customer service accounts on social media to intercept victim complaints	T1598.001
Credential Harvesting	Collecting usernames, passwords, and session tokens through fake login pages or deceptive forms	T1598.001 / T1598.003
Domain Spoofing	Registering lookalike domains (e.g., "paypaI.com" with capital I instead of lowercase L)	T1598.001 / T1598.003
Pretexting	Creating a fabricated scenario (pretext) to lend credibility to the phishing attempt	T1598.004

MITRE ATT&CK T1598 Sub-techniques

✉ T1598.001 , Spearphishing Service 📎 T1598.002 , Spearphishing Attachment 🔗 T1598.003 , Spearphishing Link 📞 T1598.004 , Spearphishing Voice

// 03 , Real-World Scenario

When One Click Costs Millions

The Story of Marcus Chen, A $4.2 Million Mistake

Marcus Chen was the Director of Finance at Meridian Aerospace, a mid-sized defense contractor with 2,400 employees and $800 million in annual revenue. He had been with the company for 12 years and was known for his meticulous attention to detail. But on a rainy Tuesday in March, one carefully crafted email would compromise everything.

Monday , The Reconnaissance Begins

An advanced persistent threat (APT) group operating from Eastern Europe had been researching Meridian Aerospace for three weeks. Using open-source intelligence gathered through techniques like T1589 (Gather Victim Identity Information) and T1591 (Gather Victim Org Information), they identified Marcus Chen as a key target. They learned his email format, reporting structure, upcoming audit deadlines, and the company's recent switch to a new expense management platform.

Tuesday 9:47 AM , The Spearphishing Email Arrives

Marcus received an email that appeared to come from the CEO, Robert Walsh. The subject line read "URGENT: Expense Platform Migration , Immediate Action Required." The email looked identical to previous CEO communications , same signature block, same corporate formatting, same tone. It directed Marcus to a link for a "new expense portal" that needed immediate credential verification before the Q1 audit deadline the following day. The domain: meridian-expenses.com , not the company's actual domain.

Tuesday 9:52 AM , The Credential Harvest

Under time pressure and trusting what appeared to be a legitimate directive from his CEO, Marcus clicked the link. The fake portal was a pixel-perfect replica of the company's login page. He entered his corporate email and password. Behind the scenes, the credentials were transmitted to the attacker's server in real-time. The page then showed an "error" and redirected him to the legitimate site, making the attack invisible.

Tuesday–Thursday , Lateral Movement & Exfiltration

Using Marcus's credentials, the attackers accessed the company's Microsoft 365 environment within minutes. They found his stored credentials for the financial systems, escalated privileges through a misconfigured service account, and spent 48 hours quietly exfiltrating sensitive bid proposals, employee records, and defense contract details , totaling 1.2 terabytes of classified data.

Friday , Discovery and Fallout

The company's security team detected anomalous data transfers from a Microsoft 365 audit log and escalated to incident response. By then, the damage was done. The total financial impact: $4.2 million in direct costs including forensics ($680K), legal fees ($1.1M), regulatory fines ($950K), contract penalties ($870K), and notification/credit monitoring for all 2,400 employees ($600K).

The Aftermath , What Changed

Meridian Aerospace completely overhauled their security posture. They implemented mandatory multi-factor authentication (MFA) for all accounts, deployed advanced email filtering with AI-based phishing detection, and launched a company-wide security awareness training program with monthly simulated phishing exercises. Within six months, their phishing click-through rate dropped from 34% to 2.1%. Marcus Chen became the company's most vocal security advocate, regularly sharing his story at industry conferences.

This scenario is a composite based on real incidents reported to the FBI IC3, CISA advisories, and published case studies. Names and details have been fictionalized for educational purposes.

// 04 , Step-by-Step Guide

How to Identify & Defend Against Phishing

Inspect the Sender's Email Address Carefully

Always examine the full email address of the sender, not just the display name. Attackers frequently use lookalike domains with subtle character substitutions.

Look for misspellings like paypaI.com (capital I instead of lowercase L), micros0ft.com (zero instead of O), or arnazon.com
Check if the domain matches the organization's official website , hover over the sender name to reveal the actual address
Be suspicious of email addresses from free services (Gmail, Yahoo) claiming to represent banks, government agencies, or enterprises

🔒 Verify Sender 🔍 Check Domain 🔎 Inspect Headers

Analyze the Message for Urgency and Pressure Tactics

Phishing emails rely on creating artificial urgency or fear to bypass your critical thinking. Legitimate organizations rarely demand immediate action via email alone.

Watch for phrases like "Your account will be suspended," "Immediate action required," "Final warning," or "Unauthorized access detected"
Legitimate companies typically give you time to act and provide multiple contact methods , phishing demands instant response via a single channel
If the email claims to be from your bank, open a new browser tab and navigate to your bank's website directly instead of clicking any links

⏰ Slow Down 😏 Stay Calm 💬 Verify Separately

Hover Before You Click , Inspect All Links

Never click links directly from an email without first previewing the destination URL. Attackers hide malicious destinations behind legitimate-looking anchor text.

On desktop, hover your mouse over any link (don't click) to see the actual URL in the bottom-left corner or tooltip , on mobile, long-press the link
Check for HTTPS in the URL and verify the domain name matches the expected organization exactly , attackers use subdomains like login.secure-bank.com.evil.com
When in doubt, navigate to the service directly by typing the URL into your browser rather than clicking any embedded link

🔗 Hover Links 🔐 Check HTTPS 🚪 Navigate Directly

Related: T1598.003 , Spearphishing Link

Never Open Unexpected Attachments

Malicious attachments are a primary vector for malware delivery. Even seemingly innocent file types can contain hidden payloads that compromise your system.

Be especially cautious with Office documents (.doc, .xls, .ppt) that prompt you to "Enable Macros" or "Enable Content" , macros can execute malicious code automatically
Payloads may also hide in PDF files, ZIP archives, ISO disk images, or shortcut files (.lnk) , these can all contain embedded malware or exploits
If you weren't expecting the attachment, contact the sender through a separate verified channel (phone call, in-person) before opening anything

📄 Verify Sender ⚠ No Macros 🗑 Quarantine

Enable Multi-Factor Authentication (MFA) Everywhere

MFA is your strongest defense against credential theft. Even if an attacker harvests your username and password through phishing, MFA prevents them from accessing your account without the second factor.

Use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) or hardware security keys (YubiKey, Titan) over SMS-based MFA, which is vulnerable to SIM swapping
Enable MFA on all critical accounts: email, banking, cloud services, VPN, social media, password managers, and any administrative portals
Organizations should enforce MFA through conditional access policies that require it based on risk signals like unfamiliar locations or devices

🔒 Enable MFA 🔑 Authenticator App 🔑 Hardware Key

Related: T1589.001 , Credentials

Report Suspicious Emails , Don't Just Delete Them

Reporting phishing attempts helps your organization's security team block similar attacks for everyone. Every reported phishing email contributes to threat intelligence that protects the entire organization.

Use your organization's "Report Phishing" button in Outlook, Gmail, or other email clients , this automatically forwards the email to the security team for analysis
If no reporting button exists, forward the suspicious email as an attachment (not forwarded inline) to your IT/security team, including the original headers
For personal accounts, report phishing to Google ([email protected]), Microsoft ([email protected]), or the FTC at reportfraud.ftc.gov

🚨 Report 📦 Forward Headers 👥 Protect Everyone

Related: T1595 , Active Scanning (threat hunters can analyze phishing patterns)

Verify Voice Requests Through a Separate Channel

Vishing attacks (T1598.004) use phone calls to impersonate IT support, executives, or government agencies. Always verify unexpected requests through a known, trusted channel.

If someone calls claiming to be from "IT Support" and asks for your password or asks you to install remote access software, hang up and call IT using the number from the company directory
Be wary of caller ID , phone numbers can be spoofed to display any name or number, including "Microsoft Support" or your own company's main line
Government agencies (IRS, Social Security, police) will never call you demanding immediate payment or threatening arrest , these are always scams

📞 Hang Up 📞 Call Back 🔒 Never Share Passwords

// 05 , Common Mistakes & Best Practices

Avoid the Pitfalls, Adopt the Defenses

⚠ Common Mistakes

Trusting display names blindly. Attackers set the display name to "CEO" or "HR Department" while the actual email address belongs to an attacker-controlled domain. Always check the full email address, not just the friendly name shown in your inbox.
Clicking links under time pressure. Phishing emails create false urgency , "Your account expires in 24 hours!" Take a breath, close the email, and verify the claim through a separate channel before taking any action.
Reusing passwords across accounts. When one set of credentials is harvested through phishing, attackers try those same credentials on banking, email, cloud, and social media accounts through automated credential stuffing attacks.
Ignoring security awareness training. Many organizations require annual training, but employees treat it as a checkbox. Active engagement in simulated phishing exercises builds the muscle memory needed to spot real attacks.
Assuming MFA alone is sufficient. While MFA is critical, sophisticated attackers use adversary-in-the-middle (AiTM) phishing proxies that can intercept MFA tokens in real-time. Defense requires a layered approach.

✅ Best Practices

Implement email authentication protocols. Deploy DMARC, DKIM, and SPF to verify incoming emails and prevent domain spoofing. These standards help email providers reject messages that fail authentication checks.
Conduct regular phishing simulations. Run monthly simulated phishing campaigns with varying difficulty levels. Track click rates, reporting rates, and provide targeted training for employees who fall for the simulations.
Deploy phishing-resistant MFA. Prioritize FIDO2/WebAuthn hardware security keys and authenticator apps over SMS-based one-time codes, which are vulnerable to SIM swapping and real-time interception.
Establish a clear reporting culture. Create a blameless reporting environment where employees feel safe reporting suspicious emails. Fast reporting dramatically reduces the dwell time of successful attacks.
Maintain a security-first mindset. Treat every unsolicited request for credentials, financial information, or urgent action as potentially suspicious until verified through a separate trusted channel.

// 06 , Red Team vs Blue Team

Attack & Defense Perspectives

RED TEAM

🕵 The Attacker's Playbook

The red team approaches T1598 as a systematic intelligence-gathering operation. Every phishing campaign begins with meticulous preparation and ends with data extraction.

Reconnaissance Phase: Before crafting any phishing email, attackers conduct extensive OSINT. They use T1589 to collect employee names, titles, email formats, and LinkedIn profiles. They use T1591 to understand the organization's structure, vendor relationships, and current events that could serve as convincing pretexts.

Weaponization Phase: Using the gathered intelligence, attackers craft highly personalized emails that reference real projects, real deadlines, and real organizational dynamics. They register lookalike domains using typosquatting or homograph attacks. They build pixel-perfect replicas of legitimate login portals hosted on compromised infrastructure.

Delivery Phase: The phishing email is sent, often timed to align with real events (tax season, product launches, or internal policy changes) to maximize the probability of engagement. Attackers may use compromised accounts from previous phishing campaigns to send the emails, lending additional legitimacy.

Exploitation Phase: Once credentials are harvested, attackers immediately attempt to access the victim's email, cloud storage, VPN, and internal systems. They look for stored credentials, forwarding rules to set up, and additional targets within the organization to phish laterally.

BLUE TEAM

🛡 The Defender's Shield

The blue team builds layered defenses that address phishing at every stage , from email delivery to post-compromise detection.

Pre-Delivery Defenses: Deploy email authentication (DMARC, DKIM, SPF) to reject spoofed emails at the gateway. Implement advanced threat protection that uses AI and machine learning to detect phishing patterns, analyze URL reputations, and sandbox attachments. Block known malicious domains and IP ranges identified through threat intelligence feeds.

Human Defenses: Security awareness training is the most critical layer. Conduct regular simulated phishing exercises with increasing difficulty. Train employees to recognize social engineering tactics, verify senders, hover over links, and report suspicious emails. Track metrics like click-through rates and reporting rates to measure improvement.

Technical Defenses: Enforce MFA on all accounts, with a preference for phishing-resistant methods (FIDO2 keys). Implement conditional access policies that evaluate risk signals before granting access. Deploy endpoint detection and response (EDR) solutions that can detect phishing-related malware and credential theft.

Detection & Response: Monitor email logs, authentication logs, and cloud audit trails for indicators of compromise. Look for impossible travel (logins from two distant locations in a short timeframe), unusual inbox rules, mass forwarding, and access to sensitive data from new devices or locations.

// 07 , Threat Hunter's Eye

How Attackers Exploit Human Weakness

👁 Understanding the Adversary's Advantage (Safe, Legal, Non-Technical Explanation)

Phishing succeeds not because of technological sophistication, but because of fundamental aspects of human psychology that attackers systematically exploit. Understanding these weaknesses is the first step toward building effective defenses , and this knowledge is entirely safe and legal to learn.

1. Authority Bias: Humans are wired to obey authority figures. When an email appears to come from a CEO, CFO, or government agency, our instinct is to comply without questioning. Attackers exploit this by impersonating figures of authority and crafting messages that demand immediate compliance. The MITRE technique T1591.004 (Identify Roles) shows how attackers identify the right authority figures to impersonate.

2. Urgency & Scarcity: When told "act now or lose access" or "this offer expires in 1 hour," the brain's prefrontal cortex (responsible for rational thinking) is overridden by the amygdala (responsible for fear and urgency responses). Phishing emails are deliberately designed to trigger this fight-or-flight response, pushing targets to act before they think.

3. Social Proof & Familiarity: We trust what's familiar. If an email references a colleague's name, mentions a recent company event, or uses the same formatting as legitimate corporate communications, it feels safe. Attackers gather this information through reconnaissance techniques like T1589.003 (Employee Names) and T1591.002 (Business Relationships) to create convincing pretexts.

4. Cognitive Load & Distraction: People make worse decisions when multitasking, stressed, or distracted. Attackers time phishing campaigns to coincide with busy periods , Monday mornings, end of quarter, tax season, or during organizational changes. T1591.003 (Identify Business Tempo) describes how attackers determine the optimal timing.

5. Trust in Technology: Many people assume that if an email arrived in their inbox, it must be legitimate , after all, shouldn't the spam filter catch anything dangerous? This misplaced trust in technical controls is exactly what attackers rely on. Email filters catch most phishing, but they can't catch everything, and attackers constantly evolve their techniques to evade detection.

Note: This analysis is intended for defensive and educational purposes. Understanding attacker psychology helps individuals and organizations build better defenses. Always apply this knowledge ethically and in accordance with applicable laws.

Threat Hunting Queries & Indicators

Security teams can use these indicators to detect potential phishing-related activity in their environments:

HIGH Authentication from unfamiliar IP geolocations within minutes of a phishing report

HIGH Inbox forwarding rules created to external addresses (data exfiltration indicator)

HIGH Multiple failed MFA challenges followed by a successful login from a new device

MEDIUM Login patterns showing "impossible travel" , two distant locations within a short time

MEDIUM Large volumes of email deletion or folder restructuring after initial compromise

MEDIUM Access to SharePoint/OneDrive files not normally accessed by the user account

LOW Increased email reply rates to external domains compared to baseline

LOW User-Agent string changes suggesting a switch to a different device or browser

// 08 , Call to Action

Join the Conversation

💬 Have Questions About Phishing Defense?

Phishing is the most common attack vector, and no organization is immune. Whether you're a security professional looking to improve your detection capabilities, a manager wanting to protect your team, or an individual who wants to stay safe online , your questions and experiences matter.

Share your thoughts:

➤ Have you encountered a convincing phishing attempt? What tipped you off?
➤ What phishing awareness training methods have worked best in your organization?
➤ How do you balance security with user experience when implementing anti-phishing controls?
➤ What questions do you have about T1598 and its sub-techniques?

Leave your comments and questions below. Let's build a community of informed defenders.

✉ T1598.001 , Spearphishing Service 📎 T1598.002 , Spearphishing Attachment 🔗 T1598.003 , Spearphishing Link 📞 T1598.004 , Spearphishing Voice

▶ T1595 , Active Scanning ▶ T1589 , Gather Victim Identity Info ▶ T1592 , Gather Victim Host Info ▶ T1591 , Gather Victim Org Info ▶ T1590 , Gather Victim Network Info