...
Relevant documentation
Mitre T1566 - Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password.
Mitre T1091 - Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities.
Mitre T1204 - User execution, often gained via phishing, is the simplest way malware may begin running.