title: Link Target (T1608.005)
id: df00tech-t1608-005
status: experimental
description: "Adversaries stage resources at link targets that are later delivered to victims via phishing campaigns (T1566.002, T1598.003) or malicious links (T1204.001). Link targets typically include cloned login pages for credential harvesting, malware download pages, or redirect chains through URL shorteners and trusted PaaS platforms. Because this activity occurs on adversary-controlled infrastructure before the victim is targeted, direct detection is impossible from within the victim environment. Detection must focus on downstream indicators: email security telemetry revealing delivered URLs pointing to suspicious infrastructure, endpoint browser telemetry showing user connections to phishing link targets, DNS queries to homoglyph or typosquatted domains, and proxy logs capturing connections to known link-staging platforms such as IPFS gateways, URL shorteners, and cloud PaaS providers abused for redirecting victims."
references:
  - https://attack.mitre.org/techniques/T1608/005/
  - https://df00tech.com/detections/T1608.005
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications"
  - "Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams"
  - "Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners"
  - "IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications"
  - SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows
level: high