Keypoints
- Adversaries used LinkedIn Smart Links (Sales Navigator team/business links) to host or redirect to credential phishing pages.
- Smart Link URLs follow the linkedin.com domain with a code parameter (eight alphanumeric characters, may include underscores/dashes) and can include obfuscated recipient emails.
- The Smart Links helped phishing emails bypass secure email gateways (SEGs) because they used LinkedIn’s trusted domain.
- Cofense observed a resurgence in late July–August 2023: ~800 emails containing 80+ unique Smart Links across multiple industries.
- Victims clicking the Smart Links were redirected (directly or via intermediate redirects) to pages imitating Microsoft sign-in to harvest Office credentials; example email addresses could auto-fill the login form.
- The campaign used generic lures (finance, HR, documents, security, notifications) to cast a wide net rather than targeting a single organization or sector.
MITRE Techniques
- [T1566.002] Spearphishing Link – Smart Links were embedded in emails to lead users to credential phishing pages (“Once at the phish, the user will be instructed to log in using their Microsoft Office credentials.”)
- [T1566.003] Spearphishing via Service – Attackers abused LinkedIn Sales Navigator Smart Links (a third‑party service) to deliver and track phishing lures (“Smart links are links utilized by a LinkedIn team or business account connected to LinkedIn Sales Navigator services…”)
- [T1204.002] User Execution: Malicious Link – Users were social engineered to click trusted LinkedIn links that triggered redirects to phishing pages, enabling bypass of email security gateways (“This will enable emails to bypass SEGs and other security suites.”)
- [T1566] Phishing – Credential Harvesting – Phishing pages were designed to capture Microsoft Office credentials and could autofill the username from URL parameters to increase perceived legitimacy (“…an example email address is used in the URL address bar, which auto-fills the form upon landing on the phishing landing page.”)
Indicators of Compromise
- [Domain / URL pattern] LinkedIn Smart Link structure – linkedin.com/… with a “code” parameter (eight-alphanumeric ID, may include underscores/dashes) and variants containing obfuscated recipient emails (e.g., linkedin.com/slink?code=XXXXXXXX).
- [URL parameter] Embedded/obfuscated recipient email in phishing redirect – Smart Links sometimes include an obfuscated victim email in the URL that auto-fills the malicious login form (e.g., example email shown in address bar as noted in the report).
- [Report source URL] Analysis/report location – https://cofense.com/blog/linkedin-smart-links-credential-phishing-campaign/, and related blog coverage at https://cofense.com/blog/threat-actors-abuse-linkedin-slink-smart-link-to-bypass-secure-email-gateways-segs/
Adversaries leveraged LinkedIn’s Sales Navigator “Smart Links” (team/business Smart Links) as a trusted hosting/redirect mechanism. The Smart Link URLs use the linkedin.com domain followed by a code parameter—an eight-character alphanumeric ID that may include underscores or dashes—and can also carry obfuscated recipient identifiers. Attackers created or compromised LinkedIn business accounts to generate large numbers of Smart Links and embed them in broadly themed phishing emails (finance, HR, document, security, notifications) so messages would appear legitimate and evade SEGs using LinkedIn’s trusted domain.
When recipients clicked a Smart Link they were taken directly or through redirects to credential-phishing landing pages imitating Microsoft sign-in. Some Smart Link variants included the recipient’s email in the URL so the phishing form could auto-fill the username field, increasing the page’s perceived legitimacy. The phish pages collected Microsoft Office credentials; the campaign delivered ~800 emails and used 80+ unique Smart Links across multiple industries, with Finance and Manufacturing among the most affected.
From a detection and mitigation perspective, defenders should treat unusual but legitimate-looking LinkedIn Smart Links with caution: examine the linkedin.com URL parameters for unexpected codes or embedded emails, monitor redirects from trusted third-party services, and block or flag campaigns that use mass-generated Smart Links leading to external login pages. Logging and URL inspection of inbound mail, along with validation of where a LinkedIn link redirects, are critical because the trusted linkedin.com domain can allow these messages to bypass traditional SEGs.
Read more: https://cofense.com/blog/linkedin-smart-links-credential-phishing-campaign/