T1608.005: Link Target
Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link.
Typically, the resources for a link target will be an HTML page that may include some client-side script such as JavaScript to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during Spearphishing Link.[1][2] Adversaries may also Upload Malware and have the link target point to malware for download/execution by the user.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Malicious Link.
Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.[3][4]
Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.[5][6][7][8] In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).[9][10][11][12] Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.[13]
Analyst context for executives and security teams
Link Target is a pre-compromise resource-development behavior: the adversary prepares the web page, hosted file, redirect, cloned login page, shortened link, cloud-hosted page, or IPFS-hosted destination that a victim may later be lured into visiting. For leaders, the risk is that the visible phishing message is only the delivery wrapper; the real business exposure often sits in the destination infrastructure that can harvest credentials, induce malware download, or abuse trusted hosting and URL masking to bypass simple blocking.
Executive priority
Prioritize this behavior as part of phishing resilience, identity protection, and pre-compromise threat intelligence. Executives should ask whether the organization can identify lookalike domains, cloned login pages, suspicious redirects, trusted-platform abuse, and single-use or obfuscated URLs before or during a campaign. The supplied ATT&CK relationships show this technique is associated with multiple campaigns and groups, so it is useful for risk-based readiness discussions, but local telemetry is required before claiming exposure or coverage.
Technical view
SOC, detection engineering, and IR teams should validate controls around resource-development indicators rather than waiting only for endpoint execution. This includes analysis of URLs embedded in email, chat, QR-code-driven workflows where applicable, redirects, shortened links, cloud/PaaS-hosted destinations, suspicious URI schemas, lookalike domains, cloned authentication pages, and links that ultimately point to malware downloads. Because ATT&CK provides no official detection text for this object, DET0893 should be treated as a related detection strategy reference, not proof of implemented coverage.
Likely telemetry
- Email security logs and message headers containing embedded URLs
- Web proxy, secure web gateway, DNS, and URL filtering logs
- Cloud access/security logs showing visits to trusted hosting or PaaS domains used as redirects or link targets
- Identity provider and authentication logs for credential-entry attempts following suspicious link access
- Threat intelligence or brand-monitoring data for typosquatting, homoglyph, and similar-domain registration
Detection direction
- Validate that URL analysis follows full redirect chains and does not stop at shortened, trusted, or cloud-hosted domains.
- Tune detections for suspicious similarity to legitimate domains, cloned login pages, URL schema abuse, obfuscation, and unusual URI/URL structures.
- Correlate link visits with identity events, especially failed or anomalous logins after interaction with a suspected credential-harvesting page.
- Account for blind spots from single-use URLs, dynamically generated URIs, IPFS-hosted content, and pages that vary content through client-side script.
- Use relationship context from campaigns and groups as intelligence enrichment, not as attribution without additional evidence.
Mitigation priorities
- Implement pre-compromise measures consistent with M1056: reduce externally visible brand and identity attack surface and monitor for adversarial preparation activity.
- Strengthen email, web, DNS, and URL-filtering controls to inspect redirects, lookalike domains, and suspicious hosted pages before user interaction.
- Protect identity workflows with phishing-resistant controls where feasible, and ensure authentication monitoring can detect credential misuse after suspected link interaction.
- Maintain takedown, blocking, and incident response procedures for cloned login pages, malicious link targets, and domains similar to legitimate organizational domains.
- Educate users and help desks on suspicious links, copied URLs, shortened links, QR-code-style redirection scenarios where relevant, and unexpected login prompts.
Analyst notes and limits
This is a PRE-platform sub-technique under Stage Capabilities and the Resource Development tactic, so it describes adversary preparation rather than confirmed compromise by itself. The relationship context includes DET0893 as a detection strategy, M1056 Pre-compromise mitigation, parent T1608 Stage Capabilities, and use by campaigns/groups including Salesforce Data Exfiltration, Operation AkaiRyū, FIN7, Silent Librarian, and LuminousMoth. These relationships support prioritization and enrichment but do not establish activity in any specific environment.
ATT&CK does not provide official detection guidance for this technique in the supplied object. The object describes common link-target patterns and references public reporting, but local conclusions require organization-specific telemetry, URL samples, authentication logs, and incident evidence. No active exploitation, attribution, business impact, or guaranteed detection coverage should be inferred from this object alone.
Link Target
Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link.
Typically, the resources for a link target will be an HTML page that may include some client-side script such as JavaScript to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during Spearphishing Link.[1][2] Adversaries may also Upload Malware and have the link target point to malware for download/execution by the user.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Malicious Link.
Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.[3][4]
Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.[5][6][7][8] In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).[9][10][11][12] Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.[13]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608 | Stage Capabilities | This object subtechnique of Stage Capabilities. |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
G1014: LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
G0122: Silent Librarian
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]
C0059: Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | cdd812f8b5ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Silent Librarian October 2020
Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
Open source URL -
[2]
Proofpoint TA407 September 2019
Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
Open source URL -
[3]
Kaspersky-masking
Dedenok, Roman. (2023, December 12). How cybercriminals disguise URLs. Retrieved January 17, 2024.
Open source URL -
[4]
mandiant-masking
Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.
Open source URL -
[5]
Netskope GCP Redirection
Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.
Open source URL -
[6]
Netskope Cloud Phishing
Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.
Open source URL -
[7]
Intezer App Service Phishing
Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.
Open source URL -
[8]
Cofense-redirect
Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.
Open source URL -
[9]
iOS URL Scheme
Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.
Open source URL -
[10]
URI
Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.
Open source URL -
[11]
URI Use
Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.
Open source URL -
[12]
URI Unique
Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.
Open source URL -
[13]
Talos IPFS 2022
Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.
Open source URL -
[14]
mitre-attack T1608.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.