New Phishing Campaign Uses LinkedIn Smart Links in Global Attack


Email security provider Cofense has discovered a new phishing campaign comprising more than 800 emails and using LinkedIn Smart Links.

The campaign was active between July and August 2023 and involved various themes, such as financial, documentary, security and general notification lures, reaching the inboxes of users across multiple industries.

Financial, manufacturing and energy sectors are the main targeted verticals.

Cofense assessed that “this campaign was not a direct attack on any particular company or sector, but a global attack aimed at collecting as much identifying information as possible using professional LinkedIn accounts and Smart Links to lead the attack.”

What are LinkedIn Smart Links?

LinkedIn Smart Links, also known as slinks, are used by LinkedIn business accounts to deliver content and track user engagements through LinkedIn Sales Navigator.

A typical Smart Link uses the LinkedIn domain followed by a “code” parameter with an eight-character alphanumeric identifier that can contain underscores and hyphens. However, malicious Smart Links may include other parts of information, such as obfuscated victim emails.

Smart Links have been proven to bypass Email Security Gateways (ESG) and other email security suites by linking using a trusted domain.

This new trove of Smart Links-based phishing messages suggests that these accounts are newly created or already compromised LinkedIn professional accounts, allowing bad actors to gain insight into the phishing campaign through its tracking capabilities.

How does a Slink-based phishing infection work?

Clicking on a malicious LinkedIn smart link embedded in an email will send the user directly or through a series of phishing redirects.

The designated phishing kit will read the victim’s email attached to the Smart Link to automatically fill out the malicious form to add to the illusion of legitimacy that the victim has landed on the legitimate Microsoft login. However, a Smart Link will still lead to a credentials phishing page without the victim’s email address in the URL.

Once arriving at the phish, the user will be asked to log in using their Microsoft Office credentials.

Are LinkedIn Smart Links a new type of threat?

LinkedIn Smart Links have been used in malicious phishing campaigns for some time now.

Cofense identified large-scale phishing attacks using LinkedIn Smart Links as early as 2021. The company also reported a large-scale campaign using slinks in September 2022.

However, this is not a phishing method regularly used by bad actors.

“While it is important to use email security suites, it is also essential that employees are constantly up to date on their training to combat any phishing campaigns. Employees should learn not to click on links in emails that appear suspicious or unexpected,” Cofense recommended in The report.

Read more: AI-generated phishing emails are almost impossible to detect, report says

Leave a comment