title: Spearphishing Link (T1598.003)
id: df00tech-t1598-003
status: experimental
description: "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. The malicious emails contain links to clone login portals, credential harvesting sites, or adversary-in-the-middle (AiTM) proxy infrastructure such as EvilProxy and Evilginx2. Attackers may also use QR codes (quishing) to bypass email URL scanners, embed tracking pixels and web beacons to verify email delivery and profile victims (IP address, email client, OS), or conduct browser-in-the-browser (BitB) attacks that display fake browser popups mimicking legitimate login pages. URL obfuscation techniques include using the @ symbol (http://legit.com@malicious.com routes to malicious.com), integer- or hex-encoded hostnames, and URL shorteners to bypass static block lists. Groups including APT28, Kimsuky, Sidewinder, Scattered Spider, Silent Librarian, and Sandworm Team are known to use this technique extensively for credential harvesting before initial access."
references:
  - https://attack.mitre.org/techniques/T1598/003/
  - https://df00tech.com/detections/T1598.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1598.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics"
  - "Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense"
  - "Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs"
  - Corporate newsletter or HR communication services using URL redirection for open and click tracking
  - "Automated IT system notifications (Azure AD access reviews, Okta account alerts) containing authentication-related URL keywords"
level: high