T1204.001 Malicious Link Mappings

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.

This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware.

This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.

This vulnerability is exploited when an authenticated user is convinced by an attacker to download and open a specially crafted file from a website, which grants the attacker access to the victim's computer. No articles have been released to the public showing that this vulnerability has been executed in the wild or provides any information on how an exploitation is carried out.

This data validation vulnerability is exploited by a remote attacker who compromised the renderer process via a crafted HTML page to potentially perform a sandbox escape. Exploitation in the wild techniques have not been published by Google.

This integer overflow vulnerability is exploited by a remote attacker who has already compromised the renderer process of Google Chrome. Exploiting this vulnerability might lead to incorrect rendering, memory corruption, and arbitrary code execution that could grant the adversary unauthorized access to the system. Exploitation in the wild techniques have not been publicly released to reduce further abuse.