ID | Name |
---|---|
T1204.001 | Malicious Link |
T1204.002 | Malicious File |
T1204.003 | Malicious Image |
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
ID | Name | Description |
---|---|---|
S0584 | AppleJeus |
AppleJeus's spearphishing links required user interaction to navigate to the malicious website.[1] |
G0007 | APT28 |
APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[2] |
G0016 | APT29 |
APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.[3][4][5] |
G0022 | APT3 |
APT3 has lured victims into clicking malicious links delivered through spearphishing.[6] |
G0050 | APT32 |
APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.[7][8][9] |
G0064 | APT33 |
APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[10][11] |
G0087 | APT39 |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[12][13] |
S0475 | BackConfig |
BackConfig has compromised victims via links to URLs hosting malicious content.[14] |
S0534 | Bazar |
Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.[15][16][17] |
G0098 | BlackTech |
BlackTech has used e-mails with malicious links to lure victims into installing malware.[18] |
G0080 | Cobalt Group |
Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.[19][20][21] |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.[22][23] |
G0066 | Elderwood |
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[24][25] |
S0367 | Emotet |
Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[26][27] |
G0120 | Evilnum |
Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[28] |
G0085 | FIN4 |
FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).[29][30] |
G0046 | FIN7 |
FIN7 has used malicious links to lure victims into downloading malware.[31] |
G0061 | FIN8 |
FIN8 has used emails with malicious links to lure victims into installing malware.[32][33][34] |
S0531 | Grandoreiro |
Grandoreiro has used malicious links to gain execution on victim machines.[35][36] |
S0561 | GuLoader |
GuLoader has relied upon users clicking on links to malicious documents.[37] |
S0499 | Hancitor |
Hancitor has relied upon users clicking on a malicious link delivered through phishing.[38] |
S0528 | Javali |
Javali has achieved execution through victims clicking links to malicious websites.[39] |
S0585 | Kerrdown |
Kerrdown has gained execution through victims opening malicious links.[9] |
G0065 | Leviathan |
Leviathan has sent spearphishing email links attempting to get a user to click.[40][41] |
G0095 | Machete |
Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[42][43][44] |
G0059 | Magic Hound |
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[45] |
S0530 | Melcoz |
Melcoz has gained execution through victims opening malicious links.[39] |
G0103 | Mofang |
Mofang's spearphishing emails required a user to click the link to connect to a compromised website.[46] |
G0021 | Molerats |
Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[47][48] |
G0069 | MuddyWater |
MuddyWater has distributed URLs in phishing e-mails that link to lure documents.[49][50] |
G0129 | Mustang Panda |
Mustang Panda has sent malicious links directing victims to a Google Drive folder.[51][52] |
S0198 | NETWIRE |
NETWIRE has been executed through convincing victims into clicking malicious links.[53][37] |
G0014 | Night Dragon |
Night Dragon enticed users to click on links in spearphishing emails to download malware.[54] |
S0644 | ObliqueRAT |
ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.[55][56] |
G0049 | OilRig |
OilRig has delivered malicious links to achieve execution on the target system.[57][58][59] |
G0040 | Patchwork |
Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.[60][61][62][14] |
S0435 | PLEAD | |
S0453 | Pony |
Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.[63] |
S0650 | QakBot |
QakBot has gained execution through users opening malicious links.[64][65][66][67][68][69] |
G0034 | Sandworm Team |
Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[70] |
G0121 | Sidewinder |
Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[71][72][73][74] |
S0649 | SMOKEDHAM |
SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.[75] |
S0646 | SpicyOmelette |
SpicyOmelette has been executed through malicious links within spearphishing emails.[21] |
G0092 | TA505 |
TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [76][77][78][79][80][81][82][83] |
G0134 | Transparent Tribe |
Transparent Tribe has directed users to open URLs hosting malicious content.[55][56] |
S0436 | TSCookie |
TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.[84] |
G0010 | Turla |
Turla has used spearphishing via a link to get users to download and run their malware.[85] |
G0112 | Windshift |
Windshift has used links embedded in e-mails to lure victims into executing malicious code.[86] |
G0102 | Wizard Spider |
Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[87] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.[88][89] |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
M1021 | Restrict Web-Based Content |
If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
M1017 | User Training |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0029 | Network Traffic | Network Connection Creation |
Network Traffic Content |
Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.