General
Attic uses two detection rules to identify when a user clicks a link to a website known to be malicious, and when the user actually visits that link. These detections are important because they indicate potential exposure to phishing attacks and help identify users who may have been targeted.
- RULE-1157 – Detects Clicks
- RULE-1158 – Detects Visits
Both alerts may be triggered by a single user action. However, there are scenarios where only one triggers, for example when certain detection features are not enabled.
Rationale
Clicking on phishing links is a strong indicator of cybercriminal activity and potential exposure to adversary-in-the-middle (AiTM) attacks. When users click malicious links, they may be redirected to fake login pages designed to steal credentials and session tokens. This behavioral pattern is often associated with credential harvesting campaigns and represents a critical security incident that requires immediate investigation to prevent further compromise.
Follow-up
Follow these steps to respond appropriately to this detection:
- Review the click details in the ticket
- Immediately contact the user to understand the context
- Check whether the user entered credentials on the malicious site
- If credentials were entered, immediately reset the user’s password and revoke all sessions
- Check for other suspicious activity by the same user
- Review the user’s recent email activity for signs of phishing attempts
- Consider implementing additional security measures for the affected account
- Provide the user with security awareness training
Comments
0 comments
Please sign in to leave a comment.