unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the url accessed.

t1204
t1204.002
windows
sigma

Techniques

t1204
t1204.002

Sample rules

Potential Suspicious Browser Launch From Document Reader Process

source: sigma
technicques:
- t1204
- t1204.002

Description

Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_microsoft_help:
  CommandLine|contains: https://go.microsoft.com/fwlink/
filter_optional_foxit:
  CommandLine|contains:
  - http://ad.foxitsoftware.com/adlog.php?
  - https://globe-map.foxitservice.com/go.php?do=redirect
selection:
  CommandLine|contains: http
  Image|endswith:
  - \brave.exe
  - \chrome.exe
  - \firefox.exe
  - \msedge.exe
  - \opera.exe
  - \maxthon.exe
  - \seamonkey.exe
  - \vivaldi.exe
  ParentImage|contains:
  - Acrobat Reader
  - Microsoft Office
  - PDF Reader