LinkedIn Redirect Abuse

    Jun. 10, 2024

    Key Points

    • Approximately 117,000 messages were observed abusing LinkedIn generated redirect across two major campaigns between March and April 2024
    • This redirect technique helps threat actors evade traditional security measures by hiding a malicious link in the URL for a trusted domain.
    • The primary intent was to steal credentials of recipients most likely to sell for profit.

    Threat actors are continuing to abuse a redirect that can be generated through LinkedIn, encouraging potential victims to click through to a malicious webpage designed to steal credentials.

    The redirects are generated from public facing pages on LinkedIn for personal or company profiles. These profiles will include a section with a link to an external site which can be retrieved as a redirect URL generated by LinkedIn. This technique can help threat actors bypass security measures designed to protect against malicious URLs and land an email into the inbox of unsuspecting victims.


    There have been 2 major campaigns observed across two days in March and April 2024, using a similar theme of notifying the recipient they have received a new audio message review, with a link to click through to listen.

    Subject:1Message Received From Caller

    Threat-Notification-LinkedIn Redirect-Abuse-1.png

    Subject:INTEL NEW

    Threat-Notification-LinkedIn Redirect-Abuse-2.png

    By analyzing the headers for the email, we can see that it was sent from an Amazon SES account likely compromised by the threat actor. The benefit to the threat actor of compromising an SES account is they can then send malicious emails from a trusted source where the regular security including SPF, DKIM and DMARC will most likely pass.


    Below is a LinkedIn URL redirect example taken from the second campaign.


    This LinkedIn redirect is not an open redirect, meaning it cannot be abused simply by replacing the section of the URL query containing the redirect destination. This implies the threat actor had to generate the URL from LinkedIn. The threat actor likely generated this redirect by creating a public profile through LinkedIn then adding sections to it which contain a link to an external resource. A threat actor can then copy the redirect generated by LinkedIn and paste it into an email campaign.

    Redirect Chain
    Looking at one of the LinkedIn redirect links from one of the above campaigns…

    URL format:

    Landing page

    Threat-Notification-LinkedIn Redirect-Abuse-3.png


    The threat actor has included a Cloudflare captcha through one of the redirect URLs to make it difficult for security tools to scan the link and determine if the final URL resolved to is malicious.


    Threat-Notification-LinkedIn Redirect-Abuse-4.png

    Credential capture page

    Final phishing page impersonating Microsoft online to capture and steal user credentials.


    Threat-Notification-LinkedIn Redirect-Abuse-5.png

    Decoding the base64 query string on the end of the credential capture page URL decodes to:
    hxxps://login.microsoftonline[.]com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=hxxps://[.]com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=c1ce9da1-6c59-d48f-b4cf-f6bf36d81ae6&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=638519004680601011.5f70bd1f-9ad9-4793-bfbe-91b750cae2d6&state=DctBFoAgCABRrNdxSMgEOY6kblt2_Vj82U0CgD1sIVEEVEqrbES3NBJiYj7rUvLBC60Pw1utoC-faOxa6enzGpLiPfL79fwD

    This is a common technique used by threat actors for credential phishing pages. The victim will enter their credentials then be displayed with a fake login failure message. They will then be redirected to the legitimate login page. The victim will think they just entered their credentials incorrectly the first time and try again on the legitimate login page.

    Attack Pattern

    Given the complexity of the infrastructure used to steal credentials, it is likely the threat actor will have used a well known phishkit or phishing as a service tool (PhaaS) which will have provided ready to go infrastructure maintained by the owner of the service.

    Here is a summary of the attack pattern utilized for these campaigns:

    • Infrastructure established
      • Multiple domains registered to host some of the stages of the redirect chain including the Cloudflare Captcha page and the final credential phishing page
    • Web services abused
      • Google Looker Studio to host initial landing page
      • Cloudflare Captcha to evade URL scanners
    • Social media tool abused
      • Public facing LinkedIn page created. Probably a company profile with an external link to the initial landing page in Looker Studio
    • Email accounts compromised
      • Amazon SES accounts compromised to distribute malicious emails containing LinkedIn redirect from
    Tactics, Techniques, and Procedures

    • T1586.002 - Compromise Accounts Email Accounts
      • Threat actor compromised Amazon SES accounts to distribute malicious emails
    • T1583 - Acquire Infrastructure
      • Domains registered to host Cloudflare Captcha and credential phishing page (probably through a phishkit or PhaaS tool)
    • T1583.006 - Acquire Infrastructure: Web Services
      • Threat actor used Google Looker Studio to stage a landing page for the LinkedIn redirect
      • Redirect generated through LinkedIn
    • T1566.002 - Phishing: Spearphishing Link
      • Emails distributed with malicious LinkedIn redirect
    Back to Top