Linktree, a service that allows quick sharing of lists of links, is being used as an accessory in a phishing scam targeting corporate users. The platform, normally used by influencers to bring together all their channels and means of contact in one place, has become a haven for dangerous sites focused on stealing Office 365 business credentials.
It all starts with a fake notification from Microsoft services like OneDrive and Sharepoint that is spoofed as a way to trick users into clicking. The scam happens in stages, with the first interaction taking potential victims to Linktree, where a simple page carries the malicious link. The final page simulates the appearance of Office 365 services and asks for credentials to access a file that would have been shared by a co-worker, but in reality, could hide malware.
The attack flow revealed by Avanan, a cloud collaboration and email security company, is intended to make the malicious link reach the victims’ inbox. By embedding the dangerous site in a page considered legitimate as Linktree, criminals hope that victims will fall for the phishing attempt and hand over their corporate credentials to the fraudulent site.
“Email security services can look for other clues, such as context and sender address, but in general, this only tells part of the story, especially when the link is cleaned up,” explains Jeremy Fuchs, researcher and cybersecurity analyst at Advance. “Users will see a document intended for them and go through the process to open it, even if it means forgetting good security practices.”
Keeping an eye out and being aware of the signs, however, helps maintain protection. When receiving a supposed attachment or link, it is always important to verify that the communication is legitimate, downloading or accessing it only when you are sure of the origin of the information; at any sign of suspicion, the ideal is to ignore the message and not move forward.
Paying attention to senders and message content also helps spot signs of spoofing. Be wary of unknown users and domains, as well as spelling errors. Finally, it is important to keep security systems, such as antivirus and firewalls, always active and up to date, as they help to identify access to malicious pages.
