Skip to content

DET0107 Detection Strategy for Spearphishing Links

Item Value
ID DET0107
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1566.002 (Spearphishing Link)

Analytics

Windows

AN0298

Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Send/Receive: Inbound emails containing embedded or shortened URLs
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
SuspiciousTLDs List of monitored top-level domains commonly abused in phishing (e.g., .xyz, .top, .tk).
URLShortenerDomains Domains like bit.ly, tinyurl.com flagged for deeper expansion/inspection.
ClickToExecutionWindow Time threshold between URL click and suspicious process execution.

Linux

AN0299

Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) Application:Mail Inbound emails containing hyperlinks from suspicious sources
Process Creation (DC0032) auditd:SYSCALL execve: Execution of scripts or binaries spawned from browser processes
Network Traffic Flow (DC0078) NSM:Flow Outbound requests to domains not previously resolved or associated with phishing campaigns
Mutable Elements
Field Description
MonitoredBrowsers List of browser processes to monitor (e.g., firefox, chrome, chromium).
PhishingIndicators Custom regex patterns for detecting obfuscated or IDN homograph URLs.

macOS

AN0300

Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Received messages with embedded or shortened URLs
Process Creation (DC0032) macos:unifiedlog Browser processes launching unexpected interpreters (osascript, bash)
Network Traffic Content (DC0085) macos:unifiedlog Connections to suspicious domains with mismatched certificate or unusual patterns
Mutable Elements
Field Description
CertificateAnomalies Flag self-signed or mismatched TLS certificates from spearphishing domains.
ExecutionDelayThreshold Suspicious delay between URL click and malicious process spawn.

Identity Provider

AN0301

Detection of OAuth consent phishing or malicious login attempts initiated through spearphishing links. Behavior chain includes inbound email with OAuth URL → consent page visited → unusual token grants logged in IdP logs.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) azure:signinlogs ConsentGrant: Suspicious consent grants to non-approved or unknown applications
Mutable Elements
Field Description
AllowedApps Whitelisted apps permitted for OAuth consent grants.
AnomalousConsentPatterns Patterns of consent from unusual geographies, devices, or unapproved applications.