Threat actors may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, Threat actors can conduct non-targeted phishing, such as in mass malware spam campaigns.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.