Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2025: Analytic 2025

If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during Spearphishing Link , Spearphishing Link , or Malicious Link .

EnterpriseAN2025AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about finding malicious web content that has been staged on the internet before it reaches the target organization. The business value is early warning: if defenders already know suspicious infrastructure, templates, or content patterns, external scanning may reveal preparation for phishing or malicious-link delivery before users click. The limitation is important: much of this activity occurs outside the organization’s normal visibility, so it should be treated as an intelligence-led detection opportunity rather than a standard internal SOC alert.

Executive priority

Prioritize this as a resilience and readiness question: does the organization have a way to turn known malicious infrastructure or content patterns into early warning, and does the SOC know how to act on that warning before user exposure? This is most relevant to incident response preparation, managed detection scoping, threat intelligence operations, and phishing-risk reduction. Leaders should not assume internal logging alone will cover this behavior because the ATT&CK description explicitly notes that much of it occurs outside target visibility.

Technical view

For SOC, detection engineering, and IR teams, validate whether external intelligence and internet-scanning outputs can be correlated with later user-facing events such as spearphishing links or malicious-link execution. Because the object has platform PRE and no specified tactic or formal detection field, coverage depends on external collection, enrichment, and operational workflow rather than endpoint-only telemetry. Teams should define how previously identified infrastructure or malicious web-content patterns are stored, searched, triaged, and linked to downstream email, proxy, DNS, browser, or incident data.

Likely telemetry

  • Internet scanning results for known malicious infrastructure or web-content patterns
  • Threat intelligence records for suspicious domains, URLs, hosting infrastructure, page templates, or content indicators
  • Email security telemetry involving embedded links, especially where related to spearphishing links
  • Web proxy, secure web gateway, or browser access logs for user visits to identified URLs or domains
  • DNS query logs for suspicious domains discovered through scanning

Detection direction

  • Confirm whether the organization has any approved source of external scanning or threat-intelligence collection; internal telemetry alone may miss staged content before delivery.
  • Use known malicious infrastructure or content patterns as the starting point, then correlate findings with later Spearphishing Link or Malicious Link activity referenced by ATT&CK.
  • Tune triage to reduce false positives from reused hosting providers, benign parked domains, copied web templates, and infrastructure that changes ownership.
  • Validate handoff procedures: when staged content is found, determine who enriches it, blocks it where appropriate, notifies response teams, and searches internal logs for exposure.
  • Document blind spots, especially lack of internet-scale visibility, limited URL/content retention, encrypted web traffic inspection constraints, and gaps between threat intelligence and SOC alerting.

Mitigation priorities

  • Establish a threat-intelligence workflow for tracking known malicious infrastructure and web-content patterns relevant to the organization.
  • Integrate external findings with email, DNS, web, and incident response processes so staged content can be assessed before or during user targeting.
  • Maintain response playbooks for suspicious links, including enrichment, internal exposure search, user notification, and containment decisions.
  • Use security awareness and phishing reporting processes as downstream controls because this analytic may not detect staging directly inside the organization.
  • Preserve audit-ready evidence of what external intelligence is collected, how it is reviewed, and how findings are actioned.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique. It provides a concise description but no official detection logic and no relationship records beyond references in the description to Spearphishing Link and Malicious Link behaviors. Treat it as guidance for intelligence-led early warning rather than a complete detection rule.

No relationships, tactics, aliases, labels, or official detection details were supplied. The only supported platform value is PRE. Any assessment of coverage, exposure, or exploitation requires local evidence from threat intelligence sources, external scanning capability, and internal email/web/DNS telemetry.

Official MITRE ATT&CK definition

Analytic 2025

If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during Spearphishing Link , Spearphishing Link , or Malicious Link .

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
764b1799b8111e35...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 764b1799b811…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2025
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use