M1021: Restrict Web-Based Content
Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:
Deploy Web Proxy Filtering:
- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering:
- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP):
- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features:
- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats:
- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.
Analyst context for executives and security teams
Restrict Web-Based Content is a preventive control family for reducing the business risk created when users, browsers, and systems interact with unsafe websites, downloads, scripts, extensions, and web services. Its value is not just blocking “bad sites”; it helps limit common paths into execution, phishing-led compromise, drive-by compromise, credential/token theft, and web-service-based command and control described in the related ATT&CK techniques.
Executive priority
Treat this as a resilience and control-evidence priority for organizations where web access, SaaS, identity provider use, office suites, remote work, and browser-based workflows are material to operations. Leaders should ask whether web proxy filtering, DNS filtering, browser policy enforcement, content security policy governance, and SIEM alerting are consistently applied, monitored, and evidenced. The business decision is how much user convenience and application compatibility risk the organization is willing to trade for reduced exposure to phishing links, unsafe downloads, browser credential theft, and adversary use of legitimate web services for command and control.
Technical view
SOC, detection engineering, and IR teams should validate that web controls are mapped to the related ATT&CK behaviors: phishing and spearphishing links/attachments/services, drive-by compromise, user execution, malicious copy-and-paste into command interpreters, JavaScript and Visual Basic execution paths, trusted/system binary proxy execution involving web-delivered content, web service command-and-control, and theft or use of web session cookies and application access tokens. Because ATT&CK provides no separate official detection text for this mitigation, teams should use the mitigation description as validation criteria: proxy category/reputation/content filtering, DNS blocking, download/file-type restrictions, browser feature and extension controls, CSP on owned web applications, and alerting on blocked-domain attempts or repeated download failures.
Likely telemetry
- Web proxy logs including URL, category, reputation, content type, action taken, user, host, and download outcomes
- DNS filtering logs including queried domain, response policy, block/allow action, user or device context where available
- Browser policy and extension control evidence from endpoint or configuration management systems
- SIEM alerts for blocked domains, unsafe file download attempts, anomalous web access, and repeated download failures
- Email or collaboration security events involving links, attachments, and third-party service-delivered messages where integrated with web controls
Detection direction
- Confirm logs from proxy, DNS filtering, browser policy enforcement, and web application CSP validation are actually collected and searchable before assuming this mitigation is measurable.
- Tune alerting around blocked malicious or suspicious destinations, repeated failed downloads, and web access followed by script, command interpreter, or trusted binary execution behavior.
- Account for noisy legitimate web services: related ATT&CK context includes adversary use of common external web services for command and control, so allowlists should be governed and reviewed rather than treated as permanent trust.
- Validate coverage for phishing links and third-party-service messages, not only traditional email attachments, because related techniques include spearphishing link and spearphishing via service.
- Review false positives from developer workflows, SaaS usage, browser extensions, remote services, and legitimate file downloads before enforcing broad blocks.
Mitigation priorities
- Start with policy scope: define which categories, reputations, domains, file types, browser features, scripts, and extensions are allowed, blocked, or require exception approval.
- Deploy or validate web proxy filtering and DNS-based filtering for unsafe websites, malware or phishing domains, risky content types, and unauthorized downloads.
- Enforce browser configuration controls, including extension governance and restrictions on unsafe browser behaviors, using centrally managed policy mechanisms where available.
- Apply Content Security Policy controls to owned internal and external web applications to reduce unauthorized script execution, iframe embedding, and cross-origin abuse.
- Feed proxy, DNS, browser, and CSP-related events into SIEM workflows with alerting for blocked access attempts and repeated download failures.
Analyst notes and limits
The relationship set makes this mitigation broader than basic URL blocking. It is relevant to initial access, execution, credential access, lateral movement, command and control, persistence, and stealth-related techniques when those behaviors depend on web content, browser behavior, user clicks, scripts, downloads, tokens, cookies, or legitimate web services. Glexia would use this object to drive a control validation conversation across SOC monitoring, identity/SaaS risk, browser hardening, web application governance, and incident response evidence readiness.
The ATT&CK object has no specified platforms or tactics for the mitigation itself and provides no official detection section. Platform references come only from related techniques, not from the mitigation object as a direct platform declaration. Local architecture, logging depth, policy configuration, and exception handling are required to determine real coverage.
Restrict Web-Based Content
Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:
Deploy Web Proxy Filtering:
- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering:
- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP):
- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features:
- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats:
- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1659 | Content Injection | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns. |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| Enterprise | T1528 | Steal Application Access Token | Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications. Azure offers a couple of enterprise policy settings in the Azure Management Portal that may help: "Users -> User settings -> App registrations: Users can register applications" can be set to "no" to prevent users from registering new applications. "Enterprise applications -> User settings -> Enterprise applications: Users can consent to apps accessing company data on their behalf" can be set to "no" to prevent users from consenting to allow third-party multi-tenant applications |
| Enterprise | T1539 | Steal Web Session Cookie | Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files |
| Enterprise | T1568 | Dynamic Resolution | In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution. |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1204 | User Execution | If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
| Enterprise | T1133 | External Remote Services | Restrict all traffic to and from public Tor nodes. CitationDefending Against Malicious Cyber Activity Originating from Tor |
| Enterprise | T1189 | Drive-by Compromise | Adblockers can help prevent malicious code served through ads from executing in the first place. Script blocking extensions can also help to prevent the execution of JavaScript. Consider disabling browser push notifications from certain applications and browsers.Citationmac security virus popupCitationpush notifications -infosecinstituteCitationsite notifications - krebsonsecurity |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| Enterprise | T1567 | Exfiltration Over Web Service | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost. |
| Enterprise | T1550.001 | Application Access Token Sub-technique | Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (e.g., Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of per-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.CitationMicrosoft Azure AD Admin Consent |
| Enterprise | T1102 | Web Service | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1566 | Phishing | Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as `.scr`, `.exe`, `.pif`, `.cpl`, etc. |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution | Consider disabling software installation or execution from the internet via developer utilities. |
| Enterprise | T1059.007 | JavaScript Sub-technique | Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1059 | Command and Scripting Interpreter | Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| Enterprise | T1218 | System Binary Proxy Execution | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
| Enterprise | T1567.001 | Exfiltration to Code Repository Sub-technique | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1127.002 | ClickOnce Sub-technique | Disable ClickOnce installations from the internet using the following registry key: `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled`CitationNetSPI ClickOnce |
| Enterprise | T1567.003 | Exfiltration to Text Storage Sites Sub-technique | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| Enterprise | T1204.001 | Malicious Link Sub-technique | If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ac754c1e0f58… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.