T1204Execution

User Execution

Rely on a user opening a malicious file or link.

§ Where this technique fits

T1204 is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 15 approved dossiers in the registry, typically at step 3.3 on average.

Authoritative reference: attack.mitre.org/techniques/T1204/.

§ Dossiers chaining this technique

OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
step 2 / 6
Prompt injection → tool-call shell RCE
Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.
step 2 / 5
Malicious MCP server → silent supply chain for agent tools
User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.
step 3 / 6
Wallet drainer dApp → setApprovalForAll → instant theft
Victim connects their wallet to a phishing dApp (fake mint / fake airdrop). One click on 'Confirm' calls setApprovalForAll on every valuable NFT collection — drained moments later.
step 3 / 6
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
step 3 / 6
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.
step 3 / 5
USB drop in parking lot → HID payload → C2
Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.
step 3 / 6
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
step 3 / 6
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
step 3 / 6
OAuth device-code phishing → M365 access without a fake page
Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.
step 3 / 6
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
step 4 / 6
iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
step 4 / 6
Gatekeeper bypass → unsigned binary execution
Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.
step 4 / 5
Header smuggling → gateway sees vendor, mailbox sees attacker
Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.
step 5 / 6
Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
step 5 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 2×
02
Valid Accounts
T1078 · Initial Access
seen 2×
03
AAD Token Cache Exfil
M365-TOKEN-EXFIL · Credential Access
seen 1×
04
AITM Phishing — Evilginx / Modlishka
PH-AITM-EVILGINX · Initial Access
seen 1×
05
EternalBlue (MS17-010 / CVE-2017-0144)
CVE-ETERNALBLUE · Initial Access
seen 1×
06
Indirect Prompt Injection (RAG / Web)
AI-INDIRECT-INJECT · Initial Access
seen 1×
07
LaunchAgent / LaunchDaemon Persistence
MAC-LAUNCHAGENT · Persistence
seen 1×
08
Malicious MCP Server
AI-MCP-SERVER · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

OneNote .one attachment → embedded payload → C2

Prompt injection → tool-call shell RCE

Malicious MCP server → silent supply chain for agent tools

Wallet drainer dApp → setApprovalForAll → instant theft

Malicious browser extension → cookie harvest → ATO

Output injection → admin XSS in support panel

USB drop in parking lot → HID payload → C2

MFA fatigue / prompt-bombing → M365 admin compromise

Browser-in-the-Browser → credential theft on a trusted page

OAuth device-code phishing → M365 access without a fake page

Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

iOS URL scheme hijack → OAuth code theft

Gatekeeper bypass → unsigned binary execution

Header smuggling → gateway sees vendor, mailbox sees attacker

Compromised vendor mailbox → reply-chain phishing → client compromise

§ What commonly comes next