Capturing the Click: Process-Based Detection of Malicious Link Interactions

Web links remain one of the most reliably abused vectors in phishing attacks. However, defenders continue to depend on network-based monitoring and post-execution detection that activate only after an account has been compromised.

This research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it. A link interaction consisting of 84 test cases across a variety of enterprise applications, file formats, scripting file types, and terminal environments on Windows 11 demonstrates that process creation monitoring captures browser-invocation behavior with high fidelity across the majority of tested launcher categories, while providing delivery-vector context unavailable in network telemetry.

A detection framework built on the ELK stack enriches each captured URL against four external threat intelligence services and applies process-chain contextual scoring to produce a risk verdict. Validated against Evilginx adversary-in-the-middle simulations, live malicious domains, and a 200-domain benign baseline, the results confirm that process-layer telemetry can identify not only that a malicious link was invoked, but precisely how it was delivered.