> attack_class: social engineering —— vector: targeted email —— success_rate: highest of any initial access technique —— defence: technology + human judgement —— status: the threat that never goes away<span class="cursor-blink">_</span>_
A finance director receives an email from what appears to be the company's CEO. The email references a real acquisition the company is pursuing — one that has not been publicly announced. The tone matches the CEO's writing style: terse, direct, no pleasantries. The email asks the finance director to process an urgent wire transfer to a solicitor handling the deal, and includes a PDF attachment with the payment details. The email address is one character different from the CEO's real address — an 'rn' where an 'm' should be, invisible at a glance. The PDF contains a link to what appears to be a secure document portal. The portal is the real Microsoft 365 login page, relayed through an adversary-in-the-middle proxy that captures the finance director's credentials and authenticated session token the moment they sign in.
This is spear phishing. Not a bulk campaign sent to ten thousand inboxes hoping someone clicks. A targeted, researched, personally crafted attack directed at a specific individual, using information gathered about them, their organisation, their role, and their current activities to create a pretext that is almost indistinguishable from legitimate communication. The attacker knew the target's name, their position, their CEO's name and writing style, the existence of an undisclosed acquisition, and the email format the organisation uses. All of that intelligence was gathered before a single email was composed.
Spear phishing is the most common initial access vector used by advanced threat actors — state-sponsored and criminal alike. APT1 used it to compromise 141 organisations across 20 industries over a decade-long campaign. APT35 used it to target journalists and academic researchers studying Iranian policy, building rapport over weeks before delivering payloads. APT42 created elaborate fake personas and maintained months-long email correspondence before sending a single malicious link. Scattered Spider used it alongside helpdesk social engineering and MFA fatigue to breach MGM Resorts and Caesars Entertainment. LAPSUS$ used it as the first step in compromising Uber. The Picus Red Report 2026 documents that credential theft now features in nearly one in four attacks — and spear phishing is the primary method by which those credentials are harvested. The technique has persisted for over two decades not because defenders lack technology, but because it exploits the one vulnerability that cannot be patched: human trust.
The terms are often used interchangeably, but the operational difference between bulk phishing and spear phishing is enormous — and understanding it is essential for defence, because the controls that stop one are largely ineffective against the other.
| Characteristic | Bulk Phishing | Spear Phishing |
|---|---|---|
| Target Selection | Untargeted. Sent to thousands or millions of addresses harvested from breaches, scraping, or purchased lists. The attacker does not know or care who the recipients are. | Specifically selected individuals chosen for their role, access, or authority within a target organisation. The attacker has researched the target before composing the email. |
| Personalisation | Generic. 'Dear Customer', 'Your account has been suspended', 'Invoice attached'. No personalisation beyond perhaps the recipient's name pulled from a data set. | Highly personalised. References the target's name, role, colleagues, current projects, recent events, or organisational context. May mimic the writing style of a known contact. |
| Pretext | Broad pretexts designed to apply to as many people as possible — fake delivery notifications, bank alerts, password reset requests, tax refund scams. | Specific pretexts tailored to the target's role and responsibilities — a CFO receives a fake acquisition document, an IT administrator receives a fake vulnerability alert from a vendor they actually use, a developer receives a fake pull request notification for a repository they contribute to. |
| Sender Impersonation | Impersonates well-known brands (Microsoft, DHL, Amazon, banks). No attempt to impersonate anyone the target knows personally. | Impersonates a specific individual the target knows and trusts — their CEO, a colleague, a client, a supplier, a recruiter, a journalist. Uses lookalike domains, compromised accounts, or spoofed headers to make the impersonation convincing. |
| Success Rate | Low per-email (typically 1–3% click rate). Relies on volume — if you send a million emails, 10,000–30,000 clicks is a viable return for a criminal operation. | High per-email. A well-researched spear phish against a well-chosen target may have a success rate of 30–50% or higher. The attacker needs only one person to engage. |
| Technical Sophistication | Often low. Commodity phishing kits, mass mailing infrastructure, minimal evasion. Many campaigns reuse identical templates across thousands of targets. | Ranges from moderate to very high. May include adversary-in-the-middle proxies for real-time credential and session token theft, custom malware payloads, HTML smuggling, and multi-stage delivery chains designed to evade the specific email security products the target organisation uses. |
| Who Uses It | Cybercriminal groups operating at scale — credential harvesting operations, romance scams, advance fee fraud, commodity malware distribution. | Advanced Persistent Threat groups (state-sponsored espionage), targeted ransomware operators (Scattered Spider, LAPSUS$, Conti affiliates), Business Email Compromise syndicates, and red team operators conducting authorised engagements. |
The defensive implication is critical: the technical controls that are effective against bulk phishing — spam filters, URL reputation databases, known-bad signature lists — are far less effective against spear phishing. A spear phish uses a newly registered domain with no reputation history, references real people and real events that pass plausibility checks, and may use a legitimate email service or compromised account that passes all authentication checks. The attack is designed from the ground up to bypass the specific defences the target organisation has deployed. This is why organisations that achieve near-zero click rates on generic phishing simulations still get breached through targeted spear phishing — they are measuring resilience against the wrong threat.
The quality of a spear phishing attack is directly proportional to the quality of the reconnaissance that precedes it. Before composing a single email, the attacker gathers intelligence about the target individual and their organisation — and most of that intelligence is freely available from public sources. The reconnaissance phase is not optional. It is what distinguishes spear phishing from bulk phishing, and it is what makes the resulting emails so difficult for both humans and technology to identify as malicious.
The entire reconnaissance phase can be completed in hours using only publicly available information. No technical exploitation is required. No laws are broken during the intelligence gathering. The attacker simply reads what the target and their organisation have published — and uses it against them. This is why reducing your OSINT footprint is a defensive measure, and why social engineering assessments should always include a reconnaissance phase that demonstrates exactly what an attacker can learn about the organisation before sending a single email.
A well-crafted spear phishing email is not merely convincing to the human recipient — it is engineered to bypass the specific email security controls deployed by the target organisation. The attacker considers and addresses each layer of technical defence, ensuring the email reaches the inbox where the human target can engage with it.
| Defence Layer | How Bulk Phishing Fails Here | How Spear Phishing Evades It |
|---|---|---|
| Spam Filters | Known-bad sender addresses, domains, and IP ranges are blocked. Mass-mailing patterns trigger volume-based heuristics. Known phishing templates match signature databases. | Uses newly registered domains with no reputation history, or legitimate email services (Gmail, Outlook.com), or compromised accounts with established sending history. Single recipient — no volume pattern to detect. Unique content — no matching signature. |
| Email Authentication (SPF/DKIM/DMARC) | Spoofed sender addresses fail SPF and DKIM checks. DMARC enforcement (p=reject) blocks unauthenticated messages claiming to be from the spoofed domain. | Uses lookalike domains (hedgeh0g-security.com, hedgehog-secur1ty.com) that have their own valid SPF and DKIM configuration. Or exploits the target's weak DMARC policy — if p=none (monitoring only, no enforcement), the attacker can spoof the exact internal domain. Or compromises a legitimate account and sends from it — passing every authentication check. |
| URL Reputation and Sandboxing | Known malicious URLs are blocked. Sandbox analysis follows links and detonates landing pages to detect credential harvesting or malware delivery. | Uses newly created URLs with no reputation. Links may redirect through legitimate services (Google AMP, Cloudflare Workers, Azure Blob Storage, SharePoint). AitM credential harvesting proxies present the genuine Microsoft login page — sandbox analysis sees a legitimate website because it is one, merely proxied. Time-delayed activation ensures the URL is benign when scanned at delivery and malicious when clicked hours later. |
| Attachment Scanning | Known malware signatures detected. Sandbox detonation observes malicious behaviour in attachments. | Attachments may be clean PDFs containing links rather than embedded malware — nothing malicious to detect. Password-protected archives prevent sandbox analysis. HTML smuggling assembles payloads in the browser from encoded data within an HTML attachment, bypassing network-based scanning entirely. Modern malware uses sandbox evasion — detecting virtual environments through techniques like Euclidean distance cursor angle geometry analysis (as documented in the LummaC2 analysis in the Picus Red Report 2026) and suppressing malicious behaviour during analysis. |
| User Awareness Training | Users trained to spot generic phishing — poor grammar, unfamiliar senders, suspicious urgency, 'Dear Customer' salutations — successfully identify and report bulk phishing campaigns. | The email comes from or appears to come from someone the user knows. References real events. Uses correct grammar and appropriate tone. Creates plausible urgency tied to the target's actual responsibilities. The indicators that awareness training teaches users to identify are deliberately absent — because the attacker read the same awareness training materials. |
The pattern is consistent: each layer of defence was designed to stop untargeted attacks at scale. A spear phish is neither untargeted nor at scale — it is a single, precision-crafted message designed to pass every check. This does not mean these defences are worthless — they remain essential for stopping the vast majority of phishing attempts. But it does mean that no combination of email security controls alone can guarantee that a well-crafted spear phish will not reach an inbox. Defence must extend beyond the email gateway.
The spear phishing email is the delivery mechanism. What it delivers — the payload — determines the impact. Modern spear phishing campaigns use several payload types, often in combination, and the choice of payload reflects the attacker's objective, the target's environment, and the defences they need to evade.
Two specialised variants of spear phishing deserve particular attention because of their outsized financial and strategic impact.
Whaling targets senior executives — CEOs, CFOs, board members, managing directors, general counsel. These individuals have the authority to approve large financial transactions, access the most sensitive corporate information, and override standard procedures. They are also frequently the least likely to follow security policies — using personal devices, requesting exceptions to MFA requirements, and operating with a sense of urgency that discourages verification. A successful whaling attack against a CFO can result in direct financial losses measured in millions from a single fraudulent transaction. The term reflects the scale of the prize: the attacker is not fishing for any catch — they are targeting the biggest fish in the organisation.
Business Email Compromise (BEC) takes whaling further still. Rather than impersonating an executive via a lookalike domain, the attacker compromises the executive's actual email account — often through a prior spear phishing credential harvest using an AitM proxy. Once inside the real mailbox, the attacker monitors email conversations silently, identifies pending transactions (payments to suppliers, deal closings, invoice settlements), studies the communication patterns and writing style, and at precisely the right moment sends an email from the genuine account requesting that payment details be changed or an urgent transfer be processed. Because the email comes from the real account, passes every authentication check, matches the executive's writing style, and references a real transaction the finance team is already expecting, even cautious, well-trained finance teams comply. The FBI's Internet Crime Complaint Centre reports that BEC has caused greater cumulative financial losses than any other category of cybercrime — global losses exceeding $50 billion since tracking began. This is not a technology failure. Every technical control works exactly as designed. The email is authentic. The account is genuine. The authentication is valid. The failure is human — a process that permits high-value financial transactions based on email authority alone.
Every major APT group documented in the threat intelligence literature uses spear phishing as a primary or significant initial access vector. The table below draws from groups we have profiled in our threat intelligence series, demonstrating the consistency of the technique across different nations, motivations, and operational objectives.
| Threat Actor | Spear Phishing Methodology | Notable Campaigns |
|---|---|---|
| APT1 / Comment Crew (PRC/PLA Unit 61398) |
Sent emails containing malicious ZIP attachments with disguised executables using double extensions (report.pdf.exe). Subject lines and body text tailored to recipients' professional interests. Created webmail accounts using real people's names. When victims replied asking about unexpected attachments, APT1 operators replied in conversational English encouraging them to open the files — active, real-time social engineering. | 141 organisations across 20 industries over a decade. Averaged 6.5 TB of compressed data stolen per compromise. Used custom WEBC2 malware family that received commands via HTML comments on legitimate-looking web pages — hiding C2 traffic in plain sight. |
| APT35 / Charming Kitten (Iran/IRGC) |
Conducted extended social engineering campaigns — building rapport with targets over weeks or months before delivering any payload. Impersonated journalists conducting interviews, academic researchers seeking collaboration, and think-tank organisers extending conference invitations. Created convincing fake personas with detailed LinkedIn profiles, personal websites, and publication histories. The patience was the weapon — by the time the payload was delivered, the target trusted the persona. | Journalists covering Iranian affairs, human rights activists, academic researchers, policy experts, government officials in the US, UK, and Middle East. Focus on intelligence collection for the IRGC — monitoring dissidents and understanding Western policy positions. |
| APT42 (Iran/IRGC) |
Similar to APT35 but with even more elaborate persona development. Created fully backstopped fake identities with social media presence, academic publications, and professional histories. Engaged targets in prolonged correspondence — some lasting months — building genuine professional relationships before introducing a malicious link or document. Demonstrated exceptional patience and social engineering skill, willing to invest significant time in a single target. | Political campaigns (including US election-related targeting), government officials, NGOs, media organisations, academic institutions. Focused on surveillance, intelligence collection, and credential harvesting to enable monitoring of persons of interest to the Iranian state. |
| APT29 / Cozy Bear (Russia/SVR) |
Compromised legitimate email accounts and used them to send spear phishing emails to new targets — ensuring the emails passed every authentication check and reputation filter. Used HTML smuggling to deliver payloads that bypassed email security gateways. Deployed multi-stage infection chains with significant obfuscation. Known for operational patience and exceptional OPSEC. | Government agencies, diplomatic missions, think tanks, technology companies globally. TeamViewer's corporate network compromised via employee credential theft in June 2024. SolarWinds supply chain compromise began with targeted social engineering. |
| APT34 / OilRig (Iran/MOIS) |
Combined spear phishing with DNS tunnelling for covert data exfiltration. Delivered weaponised documents that established backdoors communicating via DNS queries — a channel that most organisations monitor poorly if at all. Used legitimate web services for C2 communication, hiding malicious traffic within normal web browsing patterns. | Government, energy, telecoms, and financial services organisations across the Middle East. Focused on intelligence gathering in support of Iranian national security objectives. |
| Scattered Spider (Criminal) |
Combined spear phishing with helpdesk social engineering, SIM swapping, MFA fatigue attacks, and voice phishing (vishing). Impersonated IT staff via email and SMS to direct employees to credential harvesting sites. Called helpdesks impersonating employees to request password resets and MFA token resets. Contacted targets via WhatsApp with push notification bombardment. Demonstrated that technical sophistication is secondary to social engineering skill. | MGM Resorts ($100M+ impact), Caesars Entertainment (paid ransom), multiple technology and telecoms companies. Financially motivated — ransomware deployment and data theft for extortion. |
The common thread across all these actors — spanning three different nations and motivations ranging from state espionage to financial extortion — is that spear phishing remains the preferred initial access vector. Not because more technically sophisticated methods are unavailable, but because spear phishing works more reliably, more repeatedly, and at lower cost than exploiting software vulnerabilities. A zero-day exploit costs hundreds of thousands of pounds to develop and is burned once used. A spear phishing email costs hours of research and can be adapted and reused indefinitely.
MITRE ATT&CK classifies spear phishing under the Initial Access tactic (TA0001) with three distinct sub-techniques, reflecting the different delivery mechanisms attackers use. Understanding these classifications helps organisations map their defences to specific attack vectors and identify gaps in coverage.
| Technique ID | Name | Description | Primary Defences |
|---|---|---|---|
| T1566.001 | Spearphishing Attachment | Email contains a malicious file — Office documents with macros, executables in archives, ISO disk images, HTML files with embedded payloads, LNK shortcut files. Requires user interaction to execute. Most commonly used when the attacker wants to establish a persistent foothold on the target's endpoint rather than just harvesting credentials. | Attachment sandboxing with anti-evasion capabilities. Block dangerous file types at the email gateway (.iso, .img, .hta, .lnk, password-protected archives). Disable Office macros by default via Group Policy for users who do not require them. Application control (AppLocker, WDAC) to prevent execution of untrusted files. Endpoint Detection and Response for post-execution detection. |
| T1566.002 | Spearphishing Link | Email contains a link to an attacker-controlled resource — credential harvesting page (often via AitM proxy), drive-by download site, or legitimate cloud service hosting the next stage of the payload. The most common spear phishing sub-technique in 2025/2026 due to the effectiveness of AitM credential harvesting against all non-FIDO2 MFA methods. | URL rewriting with time-of-click analysis (re-evaluates URLs when clicked, not only at delivery). Phishing-resistant MFA (FIDO2/WebAuthn) to mitigate credential theft even if the user clicks. Browser isolation for high-risk users. Conditional access policies that restrict authentication to compliant devices and managed networks. |
| T1566.003 | Spearphishing via Service | Spear phishing delivered via a platform other than corporate email — LinkedIn messages, Slack DMs, Microsoft Teams messages, SMS (smishing), WhatsApp, social media direct messages, voice calls (vishing). Bypasses email security controls entirely because the delivery channel is different. | Security awareness that extends beyond email to cover all communication channels. Endpoint detection for malicious downloads regardless of source. Network monitoring for connections to known phishing infrastructure. MFA and conditional access that protect accounts regardless of how credentials are harvested. Helpdesk procedures that verify caller identity through secure methods. |
Understanding spear phishing in isolation is insufficient. The email is step one in an attack chain that, left undetected, leads to full organisational compromise. This walkthrough demonstrates the complete lifecycle — from reconnaissance through objective completion — using techniques documented from real APT operations and our own engagement experience.
Every step in that chain used documented, repeatable techniques. No zero-day exploits. No custom malware. No exceptional technical skill beyond competent OSINT and infrastructure setup. The DMARC misconfiguration enabled the domain spoof. The AitM proxy defeated MFA. The LinkedIn post provided the pretext. The Friday afternoon timing reduced scrutiny. Six distinct detection opportunities existed and were missed — not because the technology was absent, but because it was not configured, not monitored, or not designed to detect this specific attack pattern.
When authorised to conduct social engineering assessments, our approach replicates the methodology of real threat actors — because testing against unrealistic simulations produces unrealistic results. An assessment using a generic 'Your password will expire' template tells you nothing about your organisation's resilience against the attacks that actually breach organisations.
No single control can prevent spear phishing. The attack is specifically designed to bypass individual defences. Effective protection requires layered defence where each control reduces the probability of success at its stage — and failure at one layer does not mean failure overall. The objective is not to make spear phishing impossible (it is not), but to ensure that the attack chain is disrupted before the attacker achieves their objective.
Spear phishing is fundamentally a human problem. The technology is the delivery mechanism, but the vulnerability being exploited is trust — the willingness of a human being to act on a request that appears to come from a trusted source. No email security product, however sophisticated, can make the determination that a particular request from a particular sender about a particular transaction is fraudulent when the email is technically legitimate, properly authenticated, and contextually plausible.
This does not mean technology is irrelevant — every layer of technical defence reduces the probability that a spear phish reaches a human inbox. But it does mean that any defensive strategy that relies exclusively on technology will fail. The organisations with the strongest resilience against spear phishing are those that combine technical controls with a culture of verification: where questioning unexpected requests is encouraged rather than seen as obstructive, where reporting suspicious communications is rewarded rather than punished, where financial processes include human verification steps that cannot be bypassed by email authority alone, and where senior executives are subject to the same security policies as everyone else — because they are the most valuable targets, not the least likely to be attacked.
The helpdesk deserves particular attention. Across our engagements, the helpdesk is consistently the weakest human link in the defensive chain — trained to be helpful, authorised to reset passwords and MFA tokens, and rarely trained to resist the level of social engineering that a targeted attacker will employ. Scattered Spider's breach of MGM Resorts began with a phone call to the helpdesk. Strengthening helpdesk verification procedures — requiring callback verification to a known number, implementing challenge questions that cannot be answered from OSINT, and restricting the scope of changes that can be made via phone — is one of the highest-impact defensive investments an organisation can make against both spear phishing and its voice-based equivalent.
Spear phishing is the most successful initial access technique in the threat landscape — and it has held that position for over two decades. It is used by every major APT group, every sophisticated criminal operation, and every competent red team. It succeeds because it exploits human trust rather than software vulnerabilities, because it is crafted to bypass the specific technical controls the target organisation has deployed, and because the reconnaissance required to make it convincing is freely available from public sources that the target organisation and its employees publish themselves.
The defence is not a single product, a single training programme, or a single policy. It is a layered strategy that combines email authentication at enforcement to prevent domain spoofing, advanced email security to detect suspicious content and links, phishing-resistant MFA to mitigate credential theft when users click, targeted awareness training to strengthen human judgement against realistic attacks, a reporting culture that rewards vigilance and enables rapid response, procedural controls for high-risk transactions that cannot be bypassed by email authority alone, post-delivery detection and response for when — not if — preventive controls fail, and ongoing reduction of the public information that enables attackers to craft convincing pretexts in the first place.
The most important defensive insight is this: a spear phishing email that reaches an inbox is not a failure of security. It is an expected event in any realistic threat model. The failure is when the email reaches the inbox, the user engages with it, the credentials or session tokens are harvested, the attacker establishes persistence, moves laterally, and achieves their objective — and nobody along that entire chain, from the user to the email platform to the SOC, identifies or responds to the compromise before it is too late. Every layer of defence that delays, detects, or disrupts that chain reduces the probability of catastrophic outcome. No single layer eliminates the risk. Together, they make the attacker's job materially harder — and in offensive security, harder means slower, and slower means more likely to be detected.
Our social engineering assessments replicate real threat actor methodology — researched, targeted, and designed to test your defences under realistic conditions. We measure not just who clicks, but who reports — because reporting is the behaviour that matters most.