UPDATE, 5/2/23: On Tuesday, 5/2/23, Avanan researchers and members of Linktree’s security and trust team spoke via video conference. The two companies spoke in more detail about this attack. Linktree has already begun the process of removing the offending pages from their site; in addition, the two companies discussed a process in which all future detections of such attacks by Avanan will be immediately passed onto Linktree for removal. Further, Avanan researchers explained how these attacks fit the mold of hackers leveraging legitimate services to get into the inbox—what we describe as BEC 3.0. Avanan is looking forward to working with Linktree to ensure these malicious URLs never make it to users.

Linktree, a social media reference landing page, is a popular and easy way to host bio pages on Instagram and TikTok and other social media platforms.

It’s a simple way to have one link that showcases your bio, social media handles and any other information. In just a few minutes, and with no coding knowledge required, anybody can direct their followers to key information.

Hackers are now using it to direct victims to give up their credentials. 

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are creating free accounts in Linktree and using it to send users to credential harvesting pages. 


In this attack, hackers are creating legitimate Linktree pages to host malicious URLs to harvest credentials. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, URL Nesting
  • Target: Any end-user


Email Example


Step 1:


In this attack, end-users get an email with a spoofed Microsoft OneDrive or Sharepoint notification that a file has been shared with them, instructing them to open the file. 

This email does a pretty good job of spoofing a Microsoft OneDrive or Sharepoint document share page, although it’s not legitimate. You’ll notice the URL is off. First, there’s the ‘URLdefense.Proofpoint.’ at the start of the URL. That refers to Proofpoint’s click-time protection. (And means that the target of this attack also had Proofpoint.) It wraps the link and tests at click, but since it’s Linktree, any analysis will show that it’s clean. 


Step 2:

The URL in the email redirects victims to the Linktree page. Here the hacker has built a simple button that redirects them to the third and final page.


Step 3:


Finally, the user is redirected to this fake Office 365 login page, where they are asked to enter their credentials. Of course, that's where those credentials will be promptly stolen.


Leveraging legitimate websites to host malicious content is a surefire way to get into the inbox.

Most security services will look at the link–in this case, Linktree–and see that it’s legitimate and accept the message. That’s because it is legitimate.

Email security services can look for other clues, such as context and sender address. But in general, that only tells part of the story, especially when the link is clean. 

That means emulating the page behind the URL is so important. That helps indicate that the final page is malicious. 

It’s also incumbent upon users to do some digging. They should think–why would this person send me a document via Linktree? Most likely, that wouldn’t be the case. That’s all a part of security awareness–understanding if an email or process seems logical. 

Hackers, of course, are betting that users won’t take those extra steps. Many won’t. Users will see a document that’s intended for them and go through the process to open it, even if it means forgetting good security practices.

It takes just one rushed moment, a few misplaced keystrokes to bring tremendous damage into an organization. That opening is all the hacker needs. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check sender address before replying to an email
  • Stop and think if the medium being used to deliver a file is typical
  • When logging into a page, double-check the URL to see if it’s Microsoft or another legitimate site