T1566.002

Spearphishing Link

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Unlike spearphishing attachments, this variant embeds URLs in email body text, requiring the recipient to actively click or paste the link into a browser. Clicked links may deliver browser exploits, prompt downloads of malware or scripts, or harvest credentials via convincing login pages. Advanced variants include OAuth consent phishing (abusing OAuth 2.0 authorization flows to steal application access tokens), device code phishing (abusing OAuth 2.0 device authorization grant to obtain persistent tokens), and IDN homograph attacks where lookalike Unicode domains impersonate trusted brands. URLs may also be obfuscated via URL shorteners, integer-format IP addresses (e.g., hxxp://1157586937), or the @ symbol trick. Threat actors including Kimsuky, MuddyWater, BlackTech, LuminousMoth, DarkGate, and Squirrelwaffle have extensively leveraged this technique.

Microsoft Sentinel / Defender

kusto

let EmailClients = dynamic(["outlook.exe", "thunderbird.exe", "teams.exe", "msoutlook.exe"]);
let BrowserApps = dynamic(["msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"]);
// Vector 1: Email client directly spawning a suspicious process (link opens registered protocol handler or triggers file download)
let EmailClientSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (EmailClients)
| where FileName has_any (SuspiciousChildren)
| extend DetectionVector = "EmailClientDirectSpawn"
| extend RiskReason = strcat("Email client '", InitiatingProcessFileName, "' spawned '", FileName, "'");
// Vector 2: Browser spawning a suspicious process (drive-by exploit or redirect to malicious file association)
let BrowserSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (BrowserApps)
| where FileName has_any (SuspiciousChildren)
// Exclude legitimate browser internal sub-processes
| where not(ProcessCommandLine has_any ("--type=renderer", "--type=utility", "--type=gpu-process", "--type=crashpad-handler", "--extension-process", "NativeMessagingHost"))
| where not(FileName =~ "msiexec.exe" and ProcessCommandLine has_any ("MicrosoftEdgeUpdate", "GoogleUpdate", "ChromeSetup", "EdgeUpdate"))
| extend DetectionVector = "BrowserSpawnedSuspiciousProcess"
| extend RiskReason = strcat("Browser '", InitiatingProcessFileName, "' spawned '", FileName, "'");
// Vector 3: MSHTA spawning additional processes (common in phishing link -> HTA -> payload chains)
let MshtaChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "mshta.exe"
| where FileName has_any (SuspiciousChildren)
| extend DetectionVector = "MshtaSpawnedSuspiciousProcess"
| extend RiskReason = strcat("mshta.exe spawned '", FileName, "' — possible HTA payload chain");
union EmailClientSpawn, BrowserSpawn, MshtaChain
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionVector, RiskReason
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint Email: Email Opening

Required Tables

DeviceProcessEvents

False Positives

Legitimate enterprise software installers triggered by browser downloads — Chrome or Edge spawning msiexec.exe for software self-updates (Google Update, Microsoft Edge Update) will fire unless update-specific strings are excluded
Microsoft Teams or Outlook opening SharePoint/OneDrive links that trigger PowerShell-based document handlers or Office configuration scripts
Browser-based remote management or virtual desktop tools (Citrix Workspace, VMware Horizon, AWS AppStream) that spawn helper processes via registered browser protocol handlers
Security awareness training platforms (KnowBe4, Proofpoint Security Education) that simulate phishing link clicks and trigger benign download or redirect activity
Developer tools and IDEs that open browser links which then chain to build scripts or test runners (VS Code Live Share, JetBrains IDE browser preview)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImage_lower=lower(ParentImage)
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval IsEmailClient=if(match(ParentImage_lower, "(outlook\.exe|thunderbird\.exe|teams\.exe)"), 1, 0)
| eval IsBrowser=if(match(ParentImage_lower, "(msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe)"), 1, 0)
| eval IsMshtaParent=if(match(ParentImage_lower, "mshta\.exe"), 1, 0)
| eval IsSuspiciousChild=if(match(Image_lower, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1, 0)
| eval IsLegitBrowserSubProc=if(match(CommandLine_lower, "(--type=renderer|--type=utility|--type=gpu-process|--extension-process|nativemessaginghost|microsoftedgeupdate|googleupdate|chromesetup)"), 1, 0)
| where (IsEmailClient=1 OR IsBrowser=1 OR IsMshtaParent=1) AND IsSuspiciousChild=1 AND IsLegitBrowserSubProc=0
| eval DetectionVector=case(
    IsEmailClient=1, "EmailClientDirectSpawn",
    IsMshtaParent=1, "MshtaChainSpawn",
    IsBrowser=1, "BrowserSpawnedSuspiciousProcess",
    true(), "Unknown")
| eval RiskScore=case(
    IsMshtaParent=1, 90,
    IsEmailClient=1, 85,
    IsBrowser=1 AND match(Image_lower, "(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), 75,
    IsBrowser=1, 60,
    true(), 50)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionVector, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate enterprise software installers triggered by browser downloads (Chrome/Edge spawning msiexec.exe for vendor updates)
Microsoft Teams or Outlook opening SharePoint links that trigger PowerShell-based document or configuration handlers
Browser-based virtual desktop clients (Citrix, VMware Horizon) spawning helper binaries through registered protocol handlers
Security awareness training platforms simulating phishing link behavior with benign payloads
Developer tooling that opens browser URLs which chain to local build or test scripts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe|msoutlook\.exe).*' THEN 'EmailClientDirectSpawn'
    WHEN LOWER("ParentImage") MATCHES '.*?mshta\.exe.*' THEN 'MshtaChainSpawn'
    WHEN LOWER("ParentImage") MATCHES '.*?(msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe).*' THEN 'BrowserSpawnedSuspiciousProcess'
    ELSE 'Unknown'
  END AS detection_vector,
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*?mshta\.exe.*' THEN 90
    WHEN LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe).*' THEN 85
    WHEN LOWER("ParentImage") MATCHES '.*?(msedge\.exe|chrome\.exe|firefox\.exe).*' AND LOWER("Image") MATCHES '.*?(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe).*' THEN 75
    ELSE 60
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */ OR LOGSOURCETYPEID = 13 /* Sysmon */
  AND (
    LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe|msoutlook\.exe|msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|mshta\.exe).*'
  )
  AND (
    LOWER("Image") MATCHES '.*?(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe).*'
  )
  AND NOT (
    LOWER("CommandLine") MATCHES '.*?(--type=renderer|--type=utility|--type=gpu-process|--extension-process|nativemessaginghost|microsoftedgeupdate|googleupdate|chromesetup).*'
  )
  AND DEVICETIME > NOW() - 86400000
ORDER BY risk_score DESC, devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (Event ID 1) Windows Security Event Log (Event ID 4688) QRadar DSM for Microsoft Windows

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) that use msiexec.exe or certutil.exe when triggered indirectly via browser-initiated installer links
Legitimate browser extension NativeMessagingHost processes that may share command-line patterns with the excluded strings but are slightly different
Automated email-to-script workflows in helpdesk environments where Outlook plugins legitimately spawn PowerShell for ticketing system integrations

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID = "1" OR EventCode = "1"
| parse field=ParentImage "*" as parent_image nodrop
| parse field=Image "*" as child_image nodrop
| parse field=CommandLine "*" as cmdline nodrop
| eval parent_lower = toLowerCase(parent_image)
| eval child_lower = toLowerCase(child_image)
| eval cmdline_lower = toLowerCase(cmdline)
| eval is_email_client = if(parent_lower matches "*outlook.exe*" OR parent_lower matches "*thunderbird.exe*" OR parent_lower matches "*teams.exe*" OR parent_lower matches "*msoutlook.exe*", 1, 0)
| eval is_browser = if(parent_lower matches "*msedge.exe*" OR parent_lower matches "*chrome.exe*" OR parent_lower matches "*firefox.exe*" OR parent_lower matches "*iexplore.exe*" OR parent_lower matches "*opera.exe*" OR parent_lower matches "*brave.exe*", 1, 0)
| eval is_mshta_parent = if(parent_lower matches "*mshta.exe*", 1, 0)
| eval is_suspicious_child = if(child_lower matches "*powershell.exe*" OR child_lower matches "*pwsh.exe*" OR child_lower matches "*cmd.exe*" OR child_lower matches "*wscript.exe*" OR child_lower matches "*cscript.exe*" OR child_lower matches "*mshta.exe*" OR child_lower matches "*rundll32.exe*" OR child_lower matches "*regsvr32.exe*" OR child_lower matches "*msiexec.exe*" OR child_lower matches "*certutil.exe*" OR child_lower matches "*bitsadmin.exe*" OR child_lower matches "*curl.exe*" OR child_lower matches "*wget.exe*", 1, 0)
| eval is_legit_browser_proc = if(cmdline_lower matches "*--type=renderer*" OR cmdline_lower matches "*--type=utility*" OR cmdline_lower matches "*--type=gpu-process*" OR cmdline_lower matches "*--extension-process*" OR cmdline_lower matches "*nativemessaginghost*" OR cmdline_lower matches "*microsoftedgeupdate*" OR cmdline_lower matches "*googleupdate*" OR cmdline_lower matches "*chromesetup*", 1, 0)
| where (is_email_client = 1 OR is_browser = 1 OR is_mshta_parent = 1) AND is_suspicious_child = 1 AND is_legit_browser_proc = 0
| eval detection_vector = if(is_email_client = 1, "EmailClientDirectSpawn", if(is_mshta_parent = 1, "MshtaChainSpawn", "BrowserSpawnedSuspiciousProcess"))
| eval risk_score = if(is_mshta_parent = 1, 90, if(is_email_client = 1, 85, if(is_browser = 1 AND (child_lower matches "*powershell.exe*" OR child_lower matches "*wscript.exe*" OR child_lower matches "*cscript.exe*" OR child_lower matches "*mshta.exe*"), 75, 60)))
| fields _messageTime, Computer, User, child_image, cmdline, parent_image, ParentCommandLine, detection_vector, risk_score
| sort by risk_score, _messageTime

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Collector Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Legitimate business software that registers custom URL protocol handlers (e.g., zoom://, vscode://) which are invoked from browser clicks and subsequently launch helper executables
Enterprise MDM or endpoint management tools that deliver scripts via email or intranet links that users open in a browser, triggering msiexec or PowerShell
Browser-based web applications using Native Messaging to communicate with local agents that may be incorrectly flagged if the exclusion pattern matching misses slight variations

Google Chronicle / SecOps

yaral

rule t1566_002_spearphishing_link_spawn {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects T1566.002 Spearphishing Link follow-on execution: email clients, browsers, or mshta.exe spawning suspicious scripting or execution utilities"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.002"
    reference = "https://attack.mitre.org/techniques/T1566/002/"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""

    // Parent is email client, browser, or mshta
    (
      re.regex($e.principal.process.file.full_path, `(?i)(outlook\.exe|thunderbird\.exe|teams\.exe|msoutlook\.exe|msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|mshta\.exe)$`)
    )

    // Child is a suspicious process
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)$`)
    )

    // Exclude legitimate browser sub-processes
    not re.regex($e.target.process.command_line, `(?i)(--type=renderer|--type=utility|--type=gpu-process|--type=crashpad-handler|--extension-process|NativeMessagingHost|MicrosoftEdgeUpdate|GoogleUpdate|ChromeSetup|EdgeUpdate)`)

    // Exclude msiexec update launches from browsers (already captured above but belt-and-suspenders)
    not (
      re.regex($e.target.process.file.full_path, `(?i)msiexec\.exe$`) and
      re.regex($e.target.process.command_line, `(?i)(MicrosoftEdgeUpdate|GoogleUpdate|ChromeSetup|EdgeUpdate)`)
    )

    $host = $e.principal.hostname
    $parent = $e.principal.process.file.full_path
    $child = $e.target.process.file.full_path
    $cmdline = $e.target.process.command_line
    $user = $e.principal.user.userid

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Sysmon UDM ingestion Chronicle Endpoint Telemetry Microsoft Defender for Endpoint via Chronicle connector

Required Tables

UDM process events (PROCESS_LAUNCH)

False Positives

Legitimate software installers invoked through browser clicks (e.g., clicking a download link that opens an msiexec installer) where the update process exclusions do not match the specific installer string
Corporate IT tools deployed via Teams or Outlook plugins that legitimately invoke PowerShell or cmd.exe as part of approved automation workflows
Security tools or EDR agents that hook into browser processes and launch sub-components that match the suspicious child process list

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(outlook|thunderbird|teams|msoutlook|msedge|chrome|firefox|iexplore|opera|brave|mshta)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|msiexec|certutil|bitsadmin|curl|wget)\.exe$/
| CommandLine != /(?i)(--type=renderer|--type=utility|--type=gpu-process|--type=crashpad-handler|--extension-process|NativeMessagingHost|MicrosoftEdgeUpdate|GoogleUpdate|ChromeSetup|EdgeUpdate)/
| not (FileName = /(?i)msiexec\.exe$/ AND CommandLine = /(?i)(MicrosoftEdgeUpdate|GoogleUpdate|ChromeSetup|EdgeUpdate)/)
| eval DetectionVector = case(
    ParentBaseFileName = /(?i)(outlook|thunderbird|teams|msoutlook)\.exe$/, "EmailClientDirectSpawn",
    ParentBaseFileName = /(?i)mshta\.exe$/, "MshtaChainSpawn",
    ParentBaseFileName = /(?i)(msedge|chrome|firefox|iexplore|opera|brave)\.exe$/, "BrowserSpawnedSuspiciousProcess",
    true(), "Unknown"
  )
| eval RiskScore = case(
    ParentBaseFileName = /(?i)mshta\.exe$/, 90,
    ParentBaseFileName = /(?i)(outlook|thunderbird|teams)\.exe$/, 85,
    ParentBaseFileName = /(?i)(msedge|chrome|firefox|iexplore|opera|brave)\.exe$/ AND FileName = /(?i)(powershell|wscript|cscript|mshta)\.exe$/, 75,
    true(), 60
  )
| groupBy([ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, DetectionVector, RiskScore], function=count(as=EventCount))
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 events CrowdStrike Humio / LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate URL protocol handler invocations from browsers (e.g., clicking a ms-appinstaller:// or ms-excel:// link) that cause the browser to spawn msiexec or a scripting engine as part of an approved application launch
Enterprise productivity suites with Teams or Outlook add-ins that automate business workflows by launching PowerShell or cmd.exe (e.g., CRM integration scripts, HR system connectors)
Security awareness training platforms or phishing simulation tools (e.g., KnowBe4, Proofpoint Security Awareness) that may trigger these parent-child process chains as part of simulated phishing campaigns

Last updated: 2026-04-21 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1566.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1566Phishing

Related Sub-techniques

T1566.001Spearphishing Attachment T1566.003Spearphishing via Service T1566.004Spearphishing Voice

Spearphishing Link

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections