Detect Link Target in Microsoft Sentinel
Adversaries stage resources at link targets that are later delivered to victims via phishing campaigns (T1566.002, T1598.003) or malicious links (T1204.001). Link targets typically include cloned login pages for credential harvesting, malware download pages, or redirect chains through URL shorteners and trusted PaaS platforms. Because this activity occurs on adversary-controlled infrastructure before the victim is targeted, direct detection is impossible from within the victim environment. Detection must focus on downstream indicators: email security telemetry revealing delivered URLs pointing to suspicious infrastructure, endpoint browser telemetry showing user connections to phishing link targets, DNS queries to homoglyph or typosquatted domains, and proxy logs capturing connections to known link-staging platforms such as IPFS gateways, URL shorteners, and cloud PaaS providers abused for redirecting victims.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.005 Link Target
- Canonical reference
- https://attack.mitre.org/techniques/T1608/005/
KQL Detection Query
let UrlShortenerDomains = dynamic([
"bit.ly", "tinyurl.com", "ow.ly", "is.gd", "buff.ly", "adf.ly",
"cutt.ly", "rb.gy", "shorturl.at", "t.ly", "tiny.cc", "rebrand.ly"
]);
let SuspiciousPaaSDomains = dynamic([
"appspot.com", "azurewebsites.net", "web.app", "firebaseapp.com",
"netlify.app", "vercel.app", "pages.dev", "glitch.me", "replit.app",
"workers.dev", "run.app"
]);
let IpfsGatewayDomains = dynamic([
"ipfs.io", "cloudflare-ipfs.com", "gateway.pinata.cloud",
"dweb.link", "cf-ipfs.com", "nftstorage.link"
]);
let CredentialHarvestKeywords = dynamic([
"login", "signin", "sign-in", "auth", "verify", "secure",
"account", "password", "credential", "confirm", "validate",
"update", "webmail", "portal"
]);
// Branch 1: Delivered email containing suspicious link targets via Microsoft Defender for Office 365
EmailUrlInfo
| where TimeGenerated > ago(24h)
| extend ParsedHost = tostring(parse_url(Url).Host)
| extend ParsedPath = tostring(parse_url(Url)["Path"])
| where ParsedHost has_any (UrlShortenerDomains)
or ParsedHost has_any (SuspiciousPaaSDomains)
or ParsedHost has_any (IpfsGatewayDomains)
or ParsedPath has "/ipfs/"
or Url has "ipfs://"
| join kind=leftouter (
EmailEvents
| where TimeGenerated > ago(24h)
| where DeliveryAction in ("Delivered", "DeliveredToJunk")
| project NetworkMessageId, SenderFromAddress, SenderMailFromDomain,
RecipientEmailAddress, Subject, DeliveryAction, ThreatNames,
EmailDirection, LatestDeliveryLocation
) on NetworkMessageId
| where isnotempty(SenderFromAddress)
| extend LinkCategory = case(
ParsedHost has_any (IpfsGatewayDomains) or ParsedPath has "/ipfs/" or Url has "ipfs://", "IPFS_Gateway",
ParsedHost has_any (UrlShortenerDomains), "URLShortener",
ParsedHost has_any (SuspiciousPaaSDomains), "SuspiciousPaaS",
"Other"
)
| extend CredentialHarvestIndicator = Url has_any (CredentialHarvestKeywords)
| extend SuspicionScore = toint(CredentialHarvestIndicator)
+ iif(LinkCategory == "IPFS_Gateway", 2, 0)
+ iif(LinkCategory == "URLShortener", 1, 0)
+ iif(LinkCategory == "SuspiciousPaaS", 1, 0)
| project TimeGenerated, SenderFromAddress, SenderMailFromDomain,
RecipientEmailAddress, Subject, Url, ParsedHost,
LinkCategory, CredentialHarvestIndicator, SuspicionScore,
DeliveryAction, ThreatNames, LatestDeliveryLocation
| sort by SuspicionScore desc, TimeGenerated descDetects adversary-staged phishing link targets by analyzing delivered email URLs via Microsoft Defender for Office 365 (EmailUrlInfo + EmailEvents tables). Identifies URLs pointing to known link-staging infrastructure: IPFS gateways (decentralized hosting resistant to takedown), URL shorteners masking true destinations, and PaaS platforms (Azure App Service, GCP App Engine, Netlify, Vercel, Cloudflare Workers) commonly abused to host credential harvesting pages. A suspicion score aggregates multiple risk factors. Requires Microsoft Defender for Office 365 Plan 1 or Plan 2 with Advanced Hunting enabled.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
- Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
- IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
- SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows
Other platforms for T1608.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clone Legitimate Login Page for Credential Harvesting Infrastructure
Expected signal: Linux process audit log (auditd) showing wget execution with --mirror flag and target URL. DNS query for your-test-domain.example.com in DNS server logs. HTTP GET requests in proxy logs originating from the test host. Sysmon EventCode=1 equivalent on Linux (if Sysmon for Linux deployed) showing wget process with full command line arguments.
- Test 2Stage Phishing Link Target on IPFS via Pinata
Expected signal: Process creation log showing curl execution with api.pinata.cloud as destination. DNS query for api.pinata.cloud. Outbound HTTPS connection in network logs. The returned JSON will contain the IPFS CID (IpfsHash field) which serves as the permanent link target address accessible via https://gateway.pinata.cloud/ipfs/<CID>. When the CID link is later visited, gateway connection logs will show /ipfs/<CID> path pattern.
- Test 3Register URL Shortener Redirect to Phishing Page
Expected signal: Process creation showing curl with api-ssl.bitly.com destination. DNS query for api-ssl.bitly.com. HTTPS POST request in proxy/network logs. The returned JSON contains the 'link' field with the bit.ly short URL. When this URL is subsequently sent in a test phishing email and clicked, email security tools (Defender for Office 365) will record the bit.ly URL in EmailUrlInfo, triggering the main KQL detection with LinkCategory='URLShortener'.
- Test 4Deploy Phishing Link Target on Azure App Service (PaaS Infrastructure)
Expected signal: Azure Activity Log entries showing App Service creation and deployment (ResourceProvider: Microsoft.Web). If a user navigates to the *.azurewebsites.net URL, DeviceNetworkEvents shows browser connection with RemoteUrl containing 'azurewebsites.net'. Azure Monitor logs capture all access to the App Service including source IPs, user agents, and request paths.
References (12)
- https://attack.mitre.org/techniques/T1608/005/
- https://blog.talosintelligence.com/ipfs-abuse/
- https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection
- https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service
- https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
- https://www.kaspersky.com/blog/malicious-redirect-methods/50045/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
Unlock Pro Content
Get the full detection package for T1608.005 including response playbook, investigation guide, and atomic red team tests.