title: Spearphishing Link (T1566.002)
id: df00tech-t1566-002
status: experimental
description: "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Unlike spearphishing attachments, this variant embeds URLs in email body text, requiring the recipient to actively click or paste the link into a browser. Clicked links may deliver browser exploits, prompt downloads of malware or scripts, or harvest credentials via convincing login pages. Advanced variants include OAuth consent phishing (abusing OAuth 2.0 authorization flows to steal application access tokens), device code phishing (abusing OAuth 2.0 device authorization grant to obtain persistent tokens), and IDN homograph attacks where lookalike Unicode domains impersonate trusted brands. URLs may also be obfuscated via URL shorteners, integer-format IP addresses (e.g., hxxp://1157586937), or the @ symbol trick. Threat actors including Kimsuky, MuddyWater, BlackTech, LuminousMoth, DarkGate, and Squirrelwaffle have extensively leveraged this technique."
references:
  - https://attack.mitre.org/techniques/T1566/002/
  - https://df00tech.com/detections/T1566.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1566.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate enterprise software installers triggered by browser downloads — Chrome or Edge spawning msiexec.exe for software self-updates (Google Update, Microsoft Edge Update) will fire unless update-specific strings are excluded"
  - Microsoft Teams or Outlook opening SharePoint/OneDrive links that trigger PowerShell-based document handlers or Office configuration scripts
  - "Browser-based remote management or virtual desktop tools (Citrix Workspace, VMware Horizon, AWS AppStream) that spawn helper processes via registered browser protocol handlers"
  - "Security awareness training platforms (KnowBe4, Proofpoint Security Education) that simulate phishing link clicks and trigger benign download or redirect activity"
  - "Developer tools and IDEs that open browser links which then chain to build scripts or test runners (VS Code Live Share, JetBrains IDE browser preview)"
level: high