{
	"id": "53d99aad-54d9-44f7-9161-f4346320da12",
	"created_at": "2026-04-06T00:20:17.696361Z",
	"updated_at": "2026-04-10T03:20:27.331909Z",
	"deleted_at": null,
	"sha1_hash": "abdcf87089ed3544667b2d13fbe6bf0e4cc5ff8d",
	"title": "CAPEC-163: Spear Phishing (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57984,
	"plain_text": "CAPEC-163: Spear Phishing (Version 3.9)\r\nArchived: 2026-04-05 20:46:59 UTC\r\nAttack Pattern ID: 163\r\nAbstraction: Detailed\r\n Description\r\nAn adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to\r\nhave maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to\r\na specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted\r\nentity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message\r\nwill contain information specific to the targeted users that will enhance the probability that they will follow the URL to the\r\ncompromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or\r\nother information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds\r\nas a standard Phishing attack.\r\n Likelihood Of Attack\r\nHigh\r\n Typical Severity\r\nHigh\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels\r\nof abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack\r\npatterns that the user may want to explore.\r\nNature Type\r\nChildOf Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack\r\nCanFollow Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or techni\r\nCanFollow Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techniq\r\nCanFollow Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\nView Name Top Level Categories\r\nDomains of Attack Social Engineering\r\nMechanisms of Attack Engage in Deceptive Interactions\r\n Execution Flow\r\nExplore\r\n1. Obtain useful contextual detailed information about the targeted user or organization: An adversary collects\r\nuseful contextual detailed information about the targeted user or organization in order to craft a more deceptive and\r\nenticing message to lure the target into responding.\r\nTechniques\r\nConduct web searching research of target. See also: CAPEC-118.\r\nIdentify trusted associates, colleagues and friends of target. See also: CAPEC-118.\r\nUtilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.\r\nhttps://capec.mitre.org/data/definitions/163.html\r\nPage 1 of 5\n\nCollect social information via dumpster diving. See also: CAPEC-406.\r\nCollect social information via traditional sources. See also: CAPEC-118.\r\nCollect social information via Non-traditional sources. See also: CAPEC-118.\r\nExperiment\r\n1. Optional: Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the\r\nadversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince\r\nusers that they are using the legitimate website. Note that this step is not required for phishing attacks, and many\r\nphishing attacks simply supply URLs containing an IP address and no SSL certificate.\r\nTechniques\r\nOptionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is\r\nwww.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).\r\nOptionally obtain a legitimate SSL certificate for the new domain name.\r\n2. Optional: Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL\r\nthat looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That\r\nwebsite will typically have a login form for the victim to put in their authentication credentials. There can be different\r\nvariations on a theme here.\r\nTechniques\r\nUse spidering software to get copy of web pages on legitimate site.\r\nManually save copies of required web pages from legitimate site.\r\nCreate new web pages that have the legitimate site's look at feel, but contain completely new content.\r\n3. Optional: Build variants of the website with very specific user information e.g., living area, etc.: Once the\r\nadversary has their website which duplicates a legitimate website, they need to build very custom user related\r\ninformation in it. For example, they could create multiple variants of the website which would target different living\r\narea users by providing information such as local news, local weather, etc. so that the user believes this is a new\r\nfeature from the website.\r\nTechniques\r\nIntegrate localized information in the web pages created to duplicate the original website. Those localized\r\ninformation could be dynamically generated based on unique key or IP address of the future victim.\r\nExploit\r\n1. Convince user to enter sensitive information on adversary's site.: An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail\r\n(which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is\r\ncoming from a legitimate entity trusted by the victim or with which the victim or does business and that the website\r\npointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate\r\nand urgent enough to prompt action from the user.\r\nTechniques\r\nSend the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the\r\nincluded link.\r\nPlace phishing link in post to online forum.\r\n2. Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through\r\nphishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance,\r\nthe adversary can use the victim's login credentials to log into their bank account and transfer money to an account of\r\ntheir choice.\r\nTechniques\r\nLog in to the legitimate site using another user's supplied credentials.\r\nhttps://capec.mitre.org/data/definitions/163.html\r\nPage 2 of 5\n\nPrerequisites\r\nNone. Any user can be targeted by a Spear Phishing attack.\r\n Skills Required\r\n[Level: Medium]\r\nSpear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the\r\nvictims, or websites they commonly log into (Google, Facebook, etc).\r\n Resources Required\r\nAn adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as\r\nwell as a website or other platform for victims to enter personal information into.\r\n Consequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security\r\nproperty that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in\r\ntheir attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative\r\nto the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a\r\ncertain impact, but a low likelihood that it will be exploited to achieve a different impact.\r\nScope Impact Likelihood\r\nConfidentiality Read Data\r\nAccountability\r\nAuthentication\r\nAuthorization\r\nNon-Repudiation\r\nGain Privileges\r\nIntegrity Modify Data\r\n Mitigations\r\nDo not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that\r\nthey take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be\r\nto type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to\r\nprovide sensitive information of any kind.\r\n Example Instances\r\nThe target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to\r\nsuspected unauthorized activity that happened in a different area from where they live (details might be provided by the\r\nspear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to\r\nunlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the\r\nexact replica. The target supplies their login credentials after which they are notified that their account has now been\r\nunlocked and that everything is fine. An adversary has just collected the target's online banking information which can\r\nnow be used by them to log into the target's bank account and transfer money to a bank account of the adversary's\r\nchoice.\r\nAn adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their\r\nemployer's IT Department stating that their system has vulnerable software, which they need to manually patch by\r\naccessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked,\r\nthe target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The\r\nSMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary\r\nto capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a\r\n\"Pass The Hash\" attack.\r\n Taxonomy Mappings\r\nhttps://capec.mitre.org/data/definitions/163.html\r\nPage 3 of 5\n\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant\r\nATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as part of the\r\nmapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1534 Internal Spearfishing\r\n1566.001 Phishing: Spearfishing Attachment\r\n1566.002 Phishing: Spearfishing Link\r\n1566.003 Phishing: Spearfishing via Service\r\n1598.001 Phishing for Information: Spearfishing Service\r\n1598.002 Phishing for Information: Spearfishing Attachment\r\n1598.003 Phishing for Information: Spearfishing Link\r\n Content History\r\nSubmissions\r\nSubmission\r\nDate\r\nSubmitter Organization\r\n2014-06-23\r\n(Version 2.6)\r\nCAPEC Content Team The MITRE Corporation\r\nModifications\r\nModification\r\nDate\r\nModifier Organization\r\n2017-01-09\r\n(Version 2.9)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Attack_Patterns\r\n2017-08-04\r\n(Version 2.11)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary,\r\nExamples-Instances, Resources_Required\r\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Attack_Phases, Related_Attack_Patterns\r\n2019-04-04\r\n(Version 3.1)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Example_Instances, Execution_Flow, Taxonomy_Mappings\r\n2020-12-17\r\n(Version 3.4)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Attack_Patterns\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Taxonomy_Mappings\r\nhttps://capec.mitre.org/data/definitions/163.html\r\nPage 4 of 5\n\n2023-01-24\r\n(Version 3.9)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Weaknesses\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/163.html\r\nhttps://capec.mitre.org/data/definitions/163.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/163.html"
	],
	"report_names": [
		"163.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434817,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abdcf87089ed3544667b2d13fbe6bf0e4cc5ff8d.pdf",
		"text": "https://archive.orkl.eu/abdcf87089ed3544667b2d13fbe6bf0e4cc5ff8d.txt",
		"img": "https://archive.orkl.eu/abdcf87089ed3544667b2d13fbe6bf0e4cc5ff8d.jpg"
	}
}