Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0298: Analytic 0298

Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.

EnterpriseAN0298AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0298 is a detection analytic for connecting a suspicious email link to what the user does next: a click recorded in Office logs, browser navigation to suspicious or obfuscated domains, and possible Windows follow-on activity such as downloads or a browser spawning command-line tools. Its business value is in reducing the time between a phishing email, a user click, and an incident response decision.

Executive priority

Prioritize this as an evidence-chain validation item for phishing resilience and SOC readiness. Leaders should ask whether email, Office click activity, web/browser activity, and Windows process telemetry can be correlated quickly enough to support containment decisions, user notification, and audit evidence. The analytic is especially useful for assessing whether phishing controls are only blocking messages, or whether the organization can also detect risky post-click behavior.

Technical view

For Windows environments, validate the end-to-end chain described by the analytic: inbound email containing embedded links; user click evidence in Office logs; browser navigation to suspicious or obfuscated domains; and follow-on browser behavior such as downloads or child processes like PowerShell or cmd. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as a correlation pattern rather than a complete rule. Testing should focus on whether timestamps, user identity, email message metadata, URL/domain values, browser process data, and child-process telemetry can be joined reliably.

Likely telemetry

  • Inbound email security or mail platform logs containing message, sender, recipient, and embedded URL details
  • Office logs recording user clicks on links
  • Browser navigation or web access telemetry showing destination domains and URLs
  • Windows endpoint process telemetry for browser processes and child processes
  • File download telemetry or endpoint events associated with browser activity

Detection direction

  • Validate correlation across email, Office click logs, browser activity, and Windows process events rather than evaluating each source in isolation.
  • Tune for suspicious or obfuscated domains, while accounting for legitimate marketing redirects, URL shorteners, security scanning, and automated link detonation that can create false positives.
  • Prioritize cases where a clicked link is followed by browser-spawned PowerShell, cmd, or unusual download activity.
  • Check for blind spots where email security tools rewrite URLs, Office click logs are unavailable, browser telemetry is not centrally collected, or endpoint process logging is incomplete.
  • Confirm that user, device, and timestamp normalization is good enough for incident responders to reconstruct the post-click sequence.

Mitigation priorities

  • Ensure mail, Office, browser/web, and Windows endpoint telemetry are retained and accessible for correlation.
  • Strengthen phishing and URL controls, but pair prevention with post-click monitoring so user-driven navigation is not missed.
  • Harden Windows endpoint controls around unusual browser child-process behavior where operationally feasible.
  • Maintain incident response playbooks for triaging a clicked malicious or suspicious link, including user validation, endpoint review, and download/process investigation.
  • Use this analytic as evidence for control testing and compliance readiness where phishing detection and response capability must be demonstrated.
Analyst notes and limits

This object describes a detection analytic, not a technique or adversary behavior profile. The most useful defensive interpretation is an end-to-end phishing click correlation model for Windows users, centered on Office click evidence and browser/endpoint follow-on activity. Relationship context was not supplied, so no ATT&CK technique, tactic, campaign, or threat group mapping is inferred.

Official detection logic is not provided, tactics are not specified, and no relationships are supplied. The object supports Windows as the platform and references Office logs, browser navigation, suspicious or obfuscated domains, downloads, and browser child processes. Local log availability, retention, identity correlation, and domain reputation methods are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 0298

Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7ede8333c6ac454e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7ede8333c6ac…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0298
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use