ATT&CK coverage › Technique

Phishing: Spearphishing Link `T1566.002`

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Events covered

15 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	11	FileCreate
Security-Auditing	4688	A new process has been created.
Defender-DeviceEvents	9007000	Defender event (any)
Defender-DeviceProcessEvents	9001000	Process activity (any)
Windows-Defender	1121	Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
Windows-Defender	1122	Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
Windows-Defender	1125	Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-Defender	1126	Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-Defender	1129	A user has allowed a blocked Microsoft Defender Exploit Guard operation.
Windows-Defender	1131	ProductName has blocked an operation that your administrator doesn't allow.
Windows-Defender	1132	ProductName has audited an operation.
Windows-Defender	1133	ProductName has blocked an operation that your administrator doesn't allow.
Windows-Defender	1134	ProductName has audited an operation.
Windows-Defender	5007	Product Name Configuration has changed.

Authoring guide

Patterns shared across the 6 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (7 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventID`	3	`in` 3	`1125`, `1126`, `1133`, `1134`, `1131`
`ParentImage`	2	`eq` 2	`browsers`
`InitiatingProcessFileName`	2	`eq` 2	`browsers`, `officeApps`
`ActionType`	1	`contains` 1	`Office`
`file_name`	1	`eq` 1	`"*.lnk"`
`event_action`	1	`eq` 1	`"created"`
`TargetFilename`	1	`in` 1	`":\\AppData\\Local\\Temp\\"`, `":\\Windows\\Temp\\"`, `":\\Temp\\"`

Top indicator values (20 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`EventID`	`in`	`1126`	3	3
`ParentImage`	`eq`	`browsers`	2
`EventID`	`in`	`1132`	2	2
`EventID`	`in`	`1125`	2	2
`EventID`	`in`	`1134`	2	2
`EventID`	`in`	`1122`	2	2
`EventID`	`in`	`1121`	2	2
`EventID`	`in`	`1133`	2	2
`EventID`	`in`	`1131`	2	2
`EventID`	`in`	`1129`	2	2
`InitiatingProcessFileName`	`eq`	`browsers`	1
`ActionType`	`contains`	`Office`	1
`InitiatingProcessFileName`	`eq`	`officeApps`	1
`file_name`	`eq`	`"*.lnk"`	1
`TargetFilename`	`in`	`":\\Temp\\"`	1	2
`TargetFilename`	`in`	`":\\AppData\\Local\\Temp\\"`	1
`TargetFilename`	`in`	`":\\Windows\\Temp\\"`	1	2
`event_action`	`eq`	`"created"`	1	3
`TargetFilename`	`in`	`":\\Users\\"`	1
`EventID`	`in`	`5007`	1	3

Common exclusions (15 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`FileName`	`ends_with`	`.xlsx`	1
`FileName`	`ends_with`	`.pptx`	1
`FileName`	`ends_with`	`.docx`	1
`FileName`	`eq`	`officeApps`	1
`FileName`	`eq`	`browsers`	1
`FileName`	`eq`	`allowList`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Excel\\"`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\"`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"`	1
`TargetFilename`	`in`	`"\\AppData\\Local\\Microsoft\\Windows\\WinX\\"`	1
`TargetFilename`	`in`	`"\\Links\\"`	1
`TargetFilename`	`in`	`"\\OneDrive "`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\"`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Word\\"`	1
`TargetFilename`	`in`	`"\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Splunk 4 rules

Process Creating LNK file in Suspicious Location 1 event, 6 indicators, 1 exclusion
Windows Defender ASR Audit Events 5 events, 5 indicators, 0 exclusions
Windows Defender ASR Block Events 5 events, 5 indicators, 0 exclusions
Windows Defender ASR Rules Stacking 10 events, 10 indicators, 0 exclusions

Kusto Query Language 2 rules

Office ASR rule triggered from browser spawned office process. 1 event, 3 indicators, 3 exclusions
Suspicious parentprocess relationship - Office child processes. 3 events, 2 indicators, 3 exclusions

Phishing: Spearphishing Link T1566.002