LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cyber Security Threat Summary:
Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” (Bleeping Computer, 2023). In the latest campaign, Cofense observed over 800 emails containing various subjects pertaining to payments, human resources, documents, security notifications, and much more. These emails reached users from multiple industries containing over 80 unique LinkedIn Smart Links designed to recipients to a fake Microsoft Office login page. The finance sector was the most targeted, followed by manufacturing, energy, construction, and healthcare. Although some sectors were targeted more than others, Cofense notes that the campaign did not directly target one business or sector and was strictly intended to gather as many Microsoft account credentials as possible.

Security Officer Comments:
To add a sense of credibility and deceive victims into believing the authenticity of the fake Microsoft login pages set up by the actors, researchers say the Smart Link sent to targets is modified to include the victim's email address. When the victim clicks on the link, the phishing page automatically retrieves the email address and populates it in the corresponding form field. This makes it appear similar to a legitimate login portal, where users are only required to enter their password. Rather than a customized design specific to the victim's company, the phishing page mimics a standard Microsoft login portal. Although this approach increases the list of potential targets, individuals who are familiar with their employer's unique login interfaces may not be inclined to enter their credentials.

Suggested Correction(s):
Given that threat actors are using emails as an initial attack vector it is important for organizations to train employees on how to detect and avoid phishing emails containing malicious links. When signing into applications online, users should manually type the domain name into the web browser. This ensures that credentials are not unwittingly provided to fraudulent sites hosted by malicious threat actors.