Threat Awareness – Phishing Campaign Leveraging LinkedIn Smart Links Returns to Siphon Microsoft Credentials

Cofense detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn’s Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn’s domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” (Bleeping Computer, 2023). In the latest campaign, Cofense observed over 800 emails containing various subjects pertaining to payments, human resources, documents, security notifications, and much more. These emails reached users from multiple industries containing over 80 unique LinkedIn Smart Links directing recipients to a fake Microsoft Office login page. The finance sector was the most targeted, followed by manufacturing, energy, construction, and healthcare. Although some sectors were targeted more than others, Cofense notes that the campaign did not directly target one business or sector and was strictly intended to gather as many Microsoft account credentials as possible.

To add a sense of credibility and deceive victims into believing the authenticity of the fake Microsoft login pages set up by the actors, researchers say the Smart Link sent to targets is modified to include the victim’s email address. When the victim clicks on the link, the phishing page automatically retrieves the email address and populates it in the corresponding form field. This makes it appear like a legitimate login portal, where users are only required to enter their password. Rather than a customized design specific to the victim’s company, the phishing page mimics a standard Microsoft login portal. Although this approach increases the list of potential targets, individuals who are familiar with their employer’s unique login interfaces may not be inclined to enter their credentials.

Given that threat actors are using emails as an initial attack vector, members are encouraged to share this current campaign through security awareness reminders emphasizing the importance of verifying emails that appear to come from trusted sources. For more, please visit Bleeping Computer.