Phishing

high

phishing

Adversary uses deceptive emails, messages, voice calls, or look-alike sites to trick users into revealing credentials, executing malicious payloads, or approving fraudulent transactions. Targeted variants (spearphishing, business email compromise) impersonate specific colleagues or vendors and are a primary initial-access vector for cloud account takeover.

SpoofingInformation Disclosure

MITRE ATT&CK techniques

ID	Name	Tactic
T1566	Phishing	Initial Access
T1566.001	Spearphishing Attachment	Initial Access
T1566.002	Spearphishing Link	Initial Access
T1534	Internal Spearphishing	Lateral Movement

Common Weakness Enumeration

Mitigating controls

ctrl-phish-1: Enforce phishing-resistant MFA (FIDO2/WebAuthn) for all user accounts
ctrl-phish-2: Deploy a secure email gateway with link rewriting, attachment sandboxing, and impersonation detection
ctrl-phish-3: Run periodic phishing simulations and provide an in-client report-phish button
ctrl-phish-4: Apply conditional access policies that block legacy authentication and require compliant devices
ctrl-phish-5: Tag external-sender emails with a visible warning banner
ctrl-phish-6: Require out-of-band verification for sensitive financial or credential-change requests

MITRE ATT&CK techniques

Common Weakness Enumeration

Mitigating controls

References