MITRE ATT&CK Technique
Description
Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:35:08.429Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may put in place resources that are referenced by '
'a link that can be used during targeting. An adversary may '
'rely upon a user clicking a malicious link in order to '
'divulge information (including credentials) or to gain '
'execution, as in [Malicious '
'Link](https://attack.mitre.org/techniques/T1204/001). Links '
'can be used for spearphishing, such as sending an email '
'accompanied by social engineering text to coax the user to '
'actively click or copy and paste a URL into a browser. Prior '
'to a phish for information (as in [Spearphishing '
'Link](https://attack.mitre.org/techniques/T1598/003)) or a '
'phish to gain initial access to a system (as in '
'[Spearphishing '
'Link](https://attack.mitre.org/techniques/T1566/002)), an '
'adversary must set up the resources for a link target for the '
'spearphishing link. \n'
'\n'
'Typically, the resources for a link target will be an HTML '
'page that may include some client-side script such as '
'[JavaScript](https://attack.mitre.org/techniques/T1059/007) '
'to decide what content to serve to the user. Adversaries may '
'clone legitimate sites to serve as the link target, this can '
'include cloning of login pages of legitimate web services or '
'organization login pages in an effort to harvest credentials '
'during [Spearphishing '
'Link](https://attack.mitre.org/techniques/T1598/003).(Citation: '
'Malwarebytes Silent Librarian October 2020)(Citation: '
'Proofpoint TA407 September 2019) Adversaries may also [Upload '
'Malware](https://attack.mitre.org/techniques/T1608/001) and '
'have the link target point to malware for download/execution '
'by the user.\n'
'\n'
'Adversaries may purchase domains similar to legitimate '
'domains (ex: homoglyphs, typosquatting, different top-level '
'domain, etc.) during acquisition of infrastructure '
'([Domains](https://attack.mitre.org/techniques/T1583/001)) to '
'help facilitate [Malicious '
'Link](https://attack.mitre.org/techniques/T1204/001).\n'
'\n'
'Links can be written by adversaries to mask the true '
'destination in order to deceive victims by abusing the URL '
'schema and increasing the effectiveness of '
'phishing.(Citation: Kaspersky-masking)(Citation: '
'mandiant-masking)\n'
'\n'
'Adversaries may also use free or paid accounts on link '
'shortening services and Platform-as-a-Service providers to '
'host link targets while taking advantage of the widely '
'trusted domains of those providers to avoid being blocked '
'while redirecting victims to malicious pages.(Citation: '
'Netskope GCP Redirection)(Citation: Netskope Cloud '
'Phishing)(Citation: Intezer App Service Phishing)(Citation: '
'Cofense-redirect) In addition, adversaries may serve a '
'variety of malicious links through uniquely generated '
'URIs/URLs (including one-time, single use links).(Citation: '
'iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: '
'URI Unique) Finally, adversaries may take advantage of the '
'decentralized nature of the InterPlanetary File System (IPFS) '
'to host link targets that are difficult to remove.(Citation: '
'Talos IPFS 2022)',
'external_references': [{'external_id': 'T1608.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608/005'},
{'description': 'Ashwin Vamshi. (2019, January 24). '
'Targeted Attacks Abusing Google '
'Cloud Platform Open Redirection. '
'Retrieved August 18, 2022.',
'source_name': 'Netskope GCP Redirection',
'url': 'https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection'},
{'description': 'Ashwin Vamshi. (2020, August 12). A '
'Big Catch: Cloud Phishing from '
'Google App Engine and Azure App '
'Service. Retrieved August 18, 2022.',
'source_name': 'Netskope Cloud Phishing',
'url': 'https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service'},
{'description': 'Australian Cyber Security Centre. '
'National Security Agency. (2020, '
'April 21). Detect and Prevent Web '
'Shell Malware. Retrieved February 9, '
'2024.',
'source_name': 'URI Unique',
'url': 'https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF'},
{'description': 'Dedenok, Roman. (2023, December 12). '
'How cybercriminals disguise URLs. '
'Retrieved January 17, 2024.',
'source_name': 'Kaspersky-masking',
'url': 'https://www.kaspersky.com/blog/malicious-redirect-methods/50045/'},
{'description': 'Edmund Brumaghin. (2022, November '
'9). Threat Spotlight: Cyber Criminal '
'Adoption of IPFS for Phishing, '
'Malware Campaigns. Retrieved March '
'8, 2023.',
'source_name': 'Talos IPFS 2022',
'url': 'https://blog.talosintelligence.com/ipfs-abuse/'},
{'description': 'Malwarebytes Threat Intelligence '
'Team. (2020, October 14). Silent '
'Librarian APT right on schedule for '
'20/21 academic year. Retrieved '
'February 3, 2021.',
'source_name': 'Malwarebytes Silent Librarian '
'October 2020',
'url': 'https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/'},
{'description': 'Michael Cobb. (2007, October 11). '
'Preparing for uniform resource '
'identifier (URI) exploits. Retrieved '
'February 9, 2024.',
'source_name': 'URI',
'url': 'https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits'},
{'description': 'Nathan McFeters. Billy Kim Rios. Rob '
'Carter.. (2008). URI Use and Abuse. '
'Retrieved February 9, 2024.',
'source_name': 'URI Use',
'url': 'https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf'},
{'description': 'Ostorlab. (n.d.). iOS URL Scheme '
'Hijacking. Retrieved February 9, '
'2024.',
'source_name': 'iOS URL Scheme',
'url': 'https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html'},
{'description': 'Paul Litvak. (2020, October 8). Kud '
'I Enter Your Server? New '
'Vulnerabilities in Microsoft Azure. '
'Retrieved August 18, 2022.',
'source_name': 'Intezer App Service Phishing',
'url': 'https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/'},
{'description': 'Proofpoint Threat Insight Team. '
'(2019, September 5). Threat Actor '
'Profile: TA407, the Silent '
'Librarian. Retrieved February 3, '
'2021.',
'source_name': 'Proofpoint TA407 September 2019',
'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'},
{'description': 'Raymond, Nathaniel. (2023, August '
'16). Major Energy Company Targeted '
'in Large QR Code Phishing Campaign. '
'Retrieved January 17, 2024.',
'source_name': 'Cofense-redirect',
'url': 'https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/'},
{'description': 'Simonian, Nick. (2023, May 22). '
"Don't @ Me: URL Obfuscation Through "
'Schema Abuse. Retrieved January 17, '
'2024.',
'source_name': 'mandiant-masking',
'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}],
'id': 'attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:03.552Z',
'name': 'Link Target',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Menachem Goldstein',
'Hen Porcilan',
'Diyar Saadi Ali',
'Nikola Kovac'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.4'}