AN0299: Analytic 0299
Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.
Analyst context for executives and security teams
Analytic 0299 matters because it connects a common business entry point—phishing links—to evidence that a user clicked a suspicious URL and that the browser then spawned a shell or interpreter on Linux. For leaders, the value is not just “phishing detection”; it is validating whether mail, web, endpoint, and process telemetry can be joined quickly enough to support incident triage and containment decisions.
Executive priority
Prioritize this as a readiness check for phishing-driven intrusion response on Linux endpoints. Security leaders should ask whether the organization can prove, with logs, which users received suspicious links, who clicked, what web activity followed, and whether browser activity led to command execution. This supports SOC effectiveness, incident response scoping, audit evidence for monitoring controls, and investment decisions around mail logging, web proxy visibility, and endpoint process telemetry.
Technical view
The supplied analytic describes a correlation chain: suspicious URL observed in email, user click recorded in mail or web proxy logs, then a shell or interpreter launched from a browser process on Linux. SOC and detection engineering teams should validate whether these data sources share usable user, host, URL, timestamp, and process lineage fields. Because no official detection logic is provided, teams should treat this as a detection design pattern rather than a ready rule.
Likely telemetry
- Mail security or mail server logs showing messages containing URLs
- User click or URL rewrite/click-tracking logs where available
- Web proxy, secure web gateway, or browser activity logs showing outbound URL access
- Linux endpoint process creation telemetry
- Parent-child process lineage showing browser process spawning a shell or interpreter
Detection direction
- Validate correlation across email receipt, URL click, web access, and Linux process creation rather than relying on any single event.
- Tune for browser processes launching shells or interpreters, while accounting for legitimate administrative workflows, developer activity, and automation that may create similar process chains.
- Confirm time-window logic is practical: the email, click, web request, and process launch may not occur at the exact same time.
- Review blind spots where mail logs record delivery but not clicks, web proxies do not inspect all traffic, browser telemetry is absent, or Linux process creation logging lacks parent process details.
- Because tactics and relationships are not specified, avoid mapping this analytic too broadly without local validation against ATT&CK techniques or internal use cases.
Mitigation priorities
- Ensure mail and web logging are retained and searchable with user, URL, and timestamp context.
- Deploy or validate Linux endpoint process creation logging with parent-child process visibility.
- Standardize identity and host identifiers across mail, web, and endpoint data to support incident scoping.
- Use phishing response playbooks that include URL click validation and endpoint follow-up when browser-to-shell behavior is observed.
- Document detection assumptions and coverage gaps as compliance and control-evidence artifacts.
Analyst notes and limits
This object is a detection analytic for Linux and describes a phishing-link-to-process-execution correlation pattern. It has no supplied relationships, aliases, tactics, or official detection logic, so the strongest use is as a validation checklist for telemetry coverage and SOC correlation design.
The source fields do not provide a concrete detection query, severity, technique relationships, adversary attribution, impact claims, or evidence of active exploitation. Local environment baselines are required to determine false positives, logging completeness, and operational priority.
Analytic 0299
Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8ad39e94687c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0299Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.