DET0893: Detection of Link Target
This detection strategy is tied to identifying adversary-prepared link targets: resources referenced by URLs that may later be used in targeting, credentia...
Analyst context for executives and security teams
This detection strategy is tied to identifying adversary-prepared link targets: resources referenced by URLs that may later be used in targeting, credential theft, or user-driven execution. The business value is early warning. If teams can recognize suspicious link infrastructure before or during delivery, they may reduce phishing-driven account compromise and incident escalation. However, the ATT&CK object itself provides no official detection logic, platforms, or telemetry requirements, so coverage must be validated locally rather than assumed.
Executive priority
Treat this as a readiness gap check for phishing and pre-compromise detection. Leaders should ask whether the organization can collect, preserve, and analyze evidence around suspicious URLs, user click activity, email-delivered links, and related infrastructure. Priority is highest where credential theft, business email compromise, or user-initiated malware execution would create operational, financial, or compliance impact.
Technical view
The relationship context maps this detection strategy to ATT&CK T1608.005 Link Target under Resource Development on PRE. SOC and detection teams should validate whether they can identify links and linked resources used in targeting workflows, especially where users are encouraged to click or paste URLs. Because MITRE provides no official detection text for DET0893, teams should base implementation on local telemetry, known phishing investigation workflows, and correlation with the related Link Target behavior rather than treating this as a complete analytic.
Likely telemetry
- Email security logs containing URLs, sender context, message metadata, and disposition decisions
- Web proxy, secure web gateway, DNS, or browser telemetry showing URL access and domain resolution
- Identity and access logs that can show suspicious authentication following link interaction
- Endpoint or browser activity records where available for user-initiated navigation or downloads
- Threat intelligence or enrichment records for domains, URLs, certificates, hosting, or redirect chains
Detection direction
- Validate whether URL extraction, normalization, and enrichment are consistent across email, web, DNS, and incident response tooling.
- Correlate suspicious link observations with user targeting context, click activity, and follow-on authentication or execution indicators where telemetry permits.
- Tune for common false positives such as legitimate marketing links, URL shorteners, redirect services, and newly registered but benign business infrastructure.
- Look for blind spots where links are only visible in user reports, personal messaging channels, encrypted web traffic, or logs with insufficient retention.
- Use the relationship to T1608.005 as context: this is about detecting prepared or referenced link resources, not proving successful compromise by itself.
Mitigation priorities
- Prioritize control validation for phishing-resistant access paths, including strong authentication and conditional access where applicable.
- Ensure email and web controls inspect, log, and retain URL-related evidence needed for investigation and audit support.
- Maintain incident response procedures for triaging reported links, preserving messages, scoping recipients, and checking follow-on account activity.
- Use threat intelligence enrichment cautiously to prioritize investigation, not as the sole basis for blocking or closing alerts.
- Review security awareness and reporting channels so users can quickly report suspicious links for SOC validation.
Analyst notes and limits
DET0893 has an official MITRE external reference but no supplied official description, detection text, tactics, platforms, aliases, or labels. The practical interpretation is derived from its relationship to T1608.005 Link Target and that technique’s supplied description. Local environment telemetry determines whether this can be detected before, during, or only after user interaction.
This take does not assert active exploitation, attribution, specific platforms, or guaranteed detection coverage. ATT&CK marks the related technique platform as PRE, and the detection strategy object itself has no specified platform or official analytic detail. Organizations must validate available logs, retention, enrichment quality, and response processes in their own environment.
Detection of Link Target
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608.005 | Link Target Sub-technique | This object detects Link Target. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a2dd210bf839… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0893Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.