How Smart Links Attacks Target Microsoft Accounts
Smart links are a feature of LinkedIn that allows users to share and track content with their contacts. However, hackers have found a way to abuse this feature to launch phishing attacks that aim to steal Microsoft account credentials. In this article, we will explain how smart links attacks work and how to protect yourself from them.
What are smart links?
Smart links are links that use the LinkedIn domain and a unique code to direct users to a content page hosted by LinkedIn. The content page can contain up to 15 documents, such as PDFs, images, or videos, that can be viewed or downloaded by the recipients. Smart links are mainly used by LinkedIn Sales Navigator and Enterprise users for marketing and tracking purposes. They can see who viewed or downloaded their content, how long they spent on each document, and other engagement metrics.
How are smart links abused for phishing?
Hackers have discovered that they can use smart links to bypass email security products and evade detection. They create or compromise LinkedIn business accounts and use them to generate malicious smart links that redirect users to phishing pages. The phishing pages look like legitimate Microsoft login portals and ask users to enter their email and password. The hackers can then use the stolen credentials to access the victims’ Microsoft accounts and services, such as Outlook, OneDrive, or Teams.
The hackers use various email lures to trick users into clicking on the smart links. Some of the common themes are:
- Payments
- HR
- Documents
- Security notifications
The emails appear to come from legitimate sources, such as banks, colleagues, or LinkedIn itself. They use social engineering techniques to create a sense of urgency or curiosity in the recipients. For example, they may claim that there is a problem with their account, that they have received a new document, or that they need to verify their identity.
The smart links have several advantages for the hackers:
- They use the trusted LinkedIn domain, which makes them look more credible and less suspicious.
- They can include the victim’s email address in the URL, which allows the phishing page to autofill the email field and create a false sense of authenticity.
- They can track the user’s engagement with the content page, which gives them insight into the effectiveness of their campaign.
- They can change the content page at any time, which makes it harder for security products to detect and block them.
How to protect yourself from smart links attacks?
Smart links attacks are not new. They have been reported as early as 2022 by security researchers¹². However, they have resurfaced in 2023 with a large-scale campaign targeting various industries¹. Therefore, it is important to be aware of this threat and take precautions to avoid falling victim to it.
Here are some tips to protect yourself from smart links attacks:
- Be wary of unsolicited emails that ask you to click on a link or download a document. Even if they appear to come from a trusted source, do not trust them blindly. Verify the sender’s identity and the legitimacy of the content before opening it.
- Check the URL of the link before clicking on it. If it is a smart link, it will have the format
https://www.linkedin.com/slink?code=XXXXXXXX
, whereXXXXXXXX
is an eight-character code that may contain underscores and dashes. If you see anything else in the URL, such as your email address or other parameters, it is likely a malicious link. - Check the URL of the login page before entering your credentials. If it is a legitimate Microsoft login page, it will have the domain
https://login.microsoftonline.com/
. If you see anything else in the domain, such ashttps://login-microsoftonline.com/
orhttps://microsoftonline.login.com/
, it is likely a phishing page. - Use multi-factor authentication (MFA) for your Microsoft account. MFA adds an extra layer of security by requiring you to enter a code or approve a sign-in request from your phone or another device after entering your password. This way, even if hackers steal your password, they will not be able to access your account without your approval.
- Report any suspicious emails or links to LinkedIn and Microsoft. You can report phishing emails to LinkedIn by forwarding them to phishing@linkedin.com. You can report phishing pages to Microsoft by using the Report Message add-in in Outlook or by submitting them to Microsoft Defender SmartScreen.