Description
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
Platforms
Mitigations (3)
Network Intrusion PreventionM1031
If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
User TrainingM1017
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Restrict Web-Based ContentM1021
If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
Threat Groups (49)
| ID | Group | Context |
|---|---|---|
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider A... |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has sent malicious links including links directing victims to a Google Drive folder.(Citation: ... |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has sent malicious links via email trick users into opening a RAR archive and running an executable.... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Wi... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi) |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has relied upon users clicking on links to malicious files.(Citation: MalwareBytes LazyScripter ... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicr... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has, in addition to email-based phishing attachments, used malicious websites masquerading as legi... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used links embedded in emails to lure users into downloading malicious files.(Citation: Check Point... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used links to execute a malicious Visual Basic script.(Citation: 1 - appv) |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscat... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used malicious links to cloud and web services to gain execution on victim machines.(Citation: Pro... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicious link.(Citation... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to try to get users to click, download and open malicious files.(... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Cland... |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links w... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to click links in emails and attachments. For example, [TA505](https://atta... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has lured victims into clicking malicious Dropbox download links delivered through spearphishing... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky... |
Associated Software (29)
| ID | Name | Type | Context |
|---|---|---|---|
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) has used malicious links to gain execution on victim machines.(Citation: IBM Grandoreiro April ... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Do... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) has relied on a user to click a malicious link within a spearphishing email.(Citation: Palo Alto U... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has been executed through convincing victims into clicking malicious links.(Citation: FireEye NETWI... |
| S1030 | Squirrelwaffle | Malware | [Squirrelwaffle](https://attack.mitre.org/software/S1030) has relied on victims to click on a malicious link send via phishing campaigns.(Citation: ZS... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has gained execution through users opening malicious links.(Citation: Trend Micro Qakbot May 2020)(C... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has been executed through malicious links distributed in email campaigns.(Citation: Latrodectus... |
| S0499 | Hancitor | Malware | [Hancitor](https://attack.mitre.org/software/S0499) has relied upon users clicking on a malicious link delivered through phishing.(Citation: Threatpos... |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) has achieved execution through victims clicking links to malicious websites.(Citation: Securelist Br... |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye ... |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) has been executed through luring victims into clicking malicious links.(Citation: Telefonica Snip3 De... |
| S9026 | ROAMINGHOUSE | Malware | [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been executed through luring victims into clicking links to download malicious ZIP files.(... |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) has gained execution on targeted systems through luring users to click on links to malicious URL... |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) has been executed through malicious links presented to users as internet search results.(Citatio... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has been executed by luring victims into clicking links in spearphishing emails.(Citation: SentinelOn... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious link delivered through spearphishing.(Citation: Trend ... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into clicking links in spoofed emails from legitimate banks.(Citation: M... |
| S1124 | SocGholish | Malware | [SocGholish](https://attack.mitre.org/software/S1124) has lured victims into interacting with malicious links on compromised websites for execution.(C... |
| S0435 | PLEAD | Malware | [PLEAD](https://attack.mitre.org/software/S0435) has been executed via malicious links in e-mails.(Citation: TrendMicro BlackTech June 2017) |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes Laz... |
Frequently Asked Questions
What is T1204.001 (Malicious Link)?
T1204.001 is a MITRE ATT&CK technique named 'Malicious Link'. It belongs to the Execution tactic(s). An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. Th...
How can T1204.001 be detected?
Detection of T1204.001 (Malicious Link) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1204.001?
There are 3 documented mitigations for T1204.001. Key mitigations include: Network Intrusion Prevention, User Training, Restrict Web-Based Content.
Which threat groups use T1204.001?
Known threat groups using T1204.001 include: FIN7, BlackTech, Mustang Panda, Molerats, Windshift, Kimsuky, LazyScripter, Confucius.