T1204.001 Malicious Link

This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.

This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.

In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious downloads and malicious activity.

Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware.

This diagnostic statement protects against Malicious Link through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.

This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.

This integer overflow vulnerability is exploited by a remote attacker who has already compromised the renderer process of Google Chrome. Exploiting this vulnerability might lead to incorrect rendering, memory corruption, and arbitrary code execution that could grant the adversary unauthorized access to the system. Exploitation in the wild techniques have not been publicly released to reduce further abuse.

This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware.

This vulnerability is exploited when an authenticated user is convinced by an attacker to download and open a specially crafted file from a website, which grants the attacker access to the victim's computer. No articles have been released to the public showing that this vulnerability has been executed in the wild or provides any information on how an exploitation is carried out.

This data validation vulnerability is exploited by a remote attacker who compromised the renderer process via a crafted HTML page to potentially perform a sandbox escape. Exploitation in the wild techniques have not been published by Google.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.

Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)

In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages. Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware. The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. License requirements: M365 E3 (or Defender for Office plan 1)

Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.

Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. Preset Security Policies Detects Malicious Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. Safe Links Detects Malicious Links attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR