A new phishing campaign on LinkedIn is targeting finance executives with fake invitations to join the executive board of a fictitious investment fund. Cybercriminals are using professional networking tactics and advanced redirect techniques to harvest Microsoft credentials and session data from unsuspecting victims.
How the LinkedIn Phishing Attack Works
Researchers at Push Security recently detected and blocked one of these sophisticated phishing attacks. The campaign starts with what appears to be a legitimate LinkedIn direct message, inviting the recipient to join the “Executive Board of Common Wealth Investment Fund” — supposedly in partnership with a financial branch called AMCO. The message is carefully crafted to appeal to executives, offering an exclusive, high-level business opportunity in South America.
The message concludes with a malicious link that leads to a complex chain of redirects. The first redirection occurs through a Google open redirect, lending initial legitimacy to the link. From there, the victim is guided to an attacker-controlled domain, which finally redirects to a fake landing page hosted on Firebase, under the URL firebasestorage.googleapis[.]com.
This final destination is disguised as a “LinkedIn Cloud Share” portal containing supposed board membership documents. Victims are prompted to click on the “View with Microsoft” button to access files — a step that triggers yet another redirect, this time to login.kggpho[.]icu, where a Cloudflare Turnstile CAPTCHA appears. This added layer of complexity is designed to prevent automated security systems from scanning or flagging the site.
Use of Cloudflare Turnstile and Adversary-in-the-Middle Techniques
According to Push Security, attackers are now incorporating bot protection mechanisms such as CAPTCHA and Cloudflare Turnstile to evade detection. These tools ensure only human visitors can access the fake login page, effectively bypassing automated phishing scanners. Once the CAPTCHA is solved, users are presented with what looks like a Microsoft authentication page.
However, this page is a phishing trap, operating as an Adversary-in-the-Middle (AITM) mechanism that captures both login credentials and session cookies. This allows attackers not only to steal usernames and passwords but also to bypass multi-factor authentication (MFA), gaining direct access to corporate accounts.
Push Security and BleepingComputer identified several domains used in this campaign, including payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu. These domains mimic legitimate corporate names, making the phishing attempts appear professional and credible.
Phishing Expands Beyond Email
Push Security’s Chief Product Officer, Jacques Louw, noted a dramatic shift in phishing behavior: “Phishing isn’t just happening in email anymore. Over the past month, about 34% of phishing attempts we’ve tracked have come through platforms like LinkedIn and other non-email channels — up from under 10% three months ago.”
This data highlights how cybercriminals are adapting their tactics to exploit the platforms where professionals actually communicate. As email security tools become more sophisticated, attackers are moving into trusted environments like LinkedIn, where messages often bypass traditional detection systems.
Protecting Yourself Against LinkedIn Phishing
This campaign marks the second major LinkedIn phishing wave uncovered by Push Security in just six weeks, the previous one targeting technology executives. Experts urge users to be highly cautious when receiving unsolicited messages offering business opportunities, board positions, or investment roles.
To stay safe:
- Never click on links from unknown or unexpected LinkedIn messages.
- Verify the sender’s identity through official company channels.
- Treat links with unusual domain endings (like .top, .icu, or .xyz) with suspicion.
- Use a password manager to detect mismatched login pages.
- Enable multi-factor authentication (MFA) and monitor login activity for anomalies.
Conclusion: LinkedIn Becomes a Prime Phishing Ground
The use of LinkedIn as a phishing vector marks a new stage in social engineering, where attackers exploit professional trust and legitimate branding to achieve high success rates. As AI-driven phishing campaigns evolve and security barriers strengthen around email, platforms like LinkedIn are becoming the new frontline for credential theft.
Organizations should update their cybersecurity awareness training to include social media-based phishing risks, ensuring executives understand that even business platforms can host deceptive threats. Vigilance, verification, and proactive defense are key to staying one step ahead.
