After they already have access to accounts or systems within the environment, Threat actors may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Threat actors may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.