Detect Link Target in Splunk
Adversaries stage resources at link targets that are later delivered to victims via phishing campaigns (T1566.002, T1598.003) or malicious links (T1204.001). Link targets typically include cloned login pages for credential harvesting, malware download pages, or redirect chains through URL shorteners and trusted PaaS platforms. Because this activity occurs on adversary-controlled infrastructure before the victim is targeted, direct detection is impossible from within the victim environment. Detection must focus on downstream indicators: email security telemetry revealing delivered URLs pointing to suspicious infrastructure, endpoint browser telemetry showing user connections to phishing link targets, DNS queries to homoglyph or typosquatted domains, and proxy logs capturing connections to known link-staging platforms such as IPFS gateways, URL shorteners, and cloud PaaS providers abused for redirecting victims.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.005 Link Target
- Canonical reference
- https://attack.mitre.org/techniques/T1608/005/
SPL Detection Query
index=email OR index=proxy OR index=web
(sourcetype="o365:management:activity" OR sourcetype="ms:o365:defender" OR sourcetype="proxy" OR sourcetype="stream:http" OR sourcetype="bluecoat:proxysg:accesslog" OR sourcetype="zscaler:proxy")
| eval raw_url=coalesce('Url', 'url', 'cs-uri-stem', 'request_url', 'URI')
| eval raw_url_lower=lower(raw_url)
| eval IsUrlShortener=if(match(raw_url_lower,
"(bit\.ly/|tinyurl\.com/|ow\.ly/|is\.gd/|buff\.ly/|adf\.ly/|cutt\.ly/|rb\.gy/|t\.ly/|tiny\.cc/|rebrand\.ly/)"),
1, 0)
| eval IsIPFS=if(match(raw_url_lower,
"(ipfs\.io/ipfs/|cloudflare-ipfs\.com/ipfs/|gateway\.pinata\.cloud/ipfs/|dweb\.link/ipfs/|cf-ipfs\.com/ipfs/|nftstorage\.link/ipfs/|ipfs://)"),
1, 0)
| eval IsSuspiciousPaaS=if(match(raw_url_lower,
"(\.appspot\.com|\.azurewebsites\.net|\.web\.app|\.firebaseapp\.com|\.netlify\.app|\.vercel\.app|\.pages\.dev|\.glitch\.me|\.replit\.app|\.workers\.dev|\.run\.app)"),
1, 0)
| eval HasCredentialKeyword=if(match(raw_url_lower,
"(login|signin|sign-in|/auth|/verify|/secure|/account|password|credential|/confirm|/validate|webmail|/portal)"),
1, 0)
| eval SuspicionScore=IsUrlShortener + (IsIPFS * 2) + IsSuspiciousPaaS + HasCredentialKeyword
| where SuspicionScore > 0
| eval LinkCategory=case(
IsIPFS=1, "IPFS_Gateway",
IsUrlShortener=1, "URLShortener",
IsSuspiciousPaaS=1, "SuspiciousPaaS",
true(), "Other"
)
| eval source_user=coalesce('RecipientEmailAddress', 'SenderFromAddress', 'user', 'src_user', 'cs-username')
| eval source_host=coalesce('host', 'src', 'ClientIP', 'c-ip')
| table _time, source_host, source_user, raw_url, LinkCategory,
IsUrlShortener, IsIPFS, IsSuspiciousPaaS, HasCredentialKeyword, SuspicionScore
| sort - SuspicionScore, - _timeDetects adversary-staged phishing link targets by correlating URL patterns across email security logs (Office 365, Proofpoint, Mimecast) and web proxy logs (Zscaler, Bluecoat, stream:http). Evaluates URLs against known link-staging infrastructure categories with weighted suspicion scoring: IPFS gateways score 2 (decentralized, takedown-resistant), URL shorteners and suspicious PaaS platforms score 1 each, credential harvest keywords in URL path add 1 point. IPFS-hosted phishing pages are weighted higher due to their resistance to takedown requests. Adaptable across multiple email and proxy sourcetypes via coalesce field normalization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate marketing and newsletter emails using URL shorteners for click tracking — common from CRM platforms (HubSpot, Mailchimp, Salesforce)
- Development and staging environments legitimately hosted on Vercel, Netlify, Cloudflare Pages — especially in software/tech organizations
- Phishing simulation platforms (KnowBe4, Cofense, Proofpoint Security Awareness) generating intentional phishing links through URL shorteners or custom domains
- Web3 and blockchain-related businesses routinely hosting content on IPFS and linking to IPFS gateways in communications
- SaaS vendor activation and onboarding emails routing through PaaS redirect URLs as part of OAuth and SSO flows
Other platforms for T1608.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clone Legitimate Login Page for Credential Harvesting Infrastructure
Expected signal: Linux process audit log (auditd) showing wget execution with --mirror flag and target URL. DNS query for your-test-domain.example.com in DNS server logs. HTTP GET requests in proxy logs originating from the test host. Sysmon EventCode=1 equivalent on Linux (if Sysmon for Linux deployed) showing wget process with full command line arguments.
- Test 2Stage Phishing Link Target on IPFS via Pinata
Expected signal: Process creation log showing curl execution with api.pinata.cloud as destination. DNS query for api.pinata.cloud. Outbound HTTPS connection in network logs. The returned JSON will contain the IPFS CID (IpfsHash field) which serves as the permanent link target address accessible via https://gateway.pinata.cloud/ipfs/<CID>. When the CID link is later visited, gateway connection logs will show /ipfs/<CID> path pattern.
- Test 3Register URL Shortener Redirect to Phishing Page
Expected signal: Process creation showing curl with api-ssl.bitly.com destination. DNS query for api-ssl.bitly.com. HTTPS POST request in proxy/network logs. The returned JSON contains the 'link' field with the bit.ly short URL. When this URL is subsequently sent in a test phishing email and clicked, email security tools (Defender for Office 365) will record the bit.ly URL in EmailUrlInfo, triggering the main KQL detection with LinkCategory='URLShortener'.
- Test 4Deploy Phishing Link Target on Azure App Service (PaaS Infrastructure)
Expected signal: Azure Activity Log entries showing App Service creation and deployment (ResourceProvider: Microsoft.Web). If a user navigates to the *.azurewebsites.net URL, DeviceNetworkEvents shows browser connection with RemoteUrl containing 'azurewebsites.net'. Azure Monitor logs capture all access to the App Service including source IPs, user agents, and request paths.
References (12)
- https://attack.mitre.org/techniques/T1608/005/
- https://blog.talosintelligence.com/ipfs-abuse/
- https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection
- https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service
- https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
- https://www.kaspersky.com/blog/malicious-redirect-methods/50045/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
Unlock Pro Content
Get the full detection package for T1608.005 including response playbook, investigation guide, and atomic red team tests.