Phishing via LinkedIn is on the rise with sophisticated tactics

Attackers are increasingly shifting from email to LinkedIn to spread phishing attempts. Security company Push intercepted an advanced LinkedIn phishing attack that combines multiple evasion techniques to circumvent detection.

Phishing via LinkedIn is on the rise, although it often goes unnoticed. This is because much of the phishing data comes from email security providers. LinkedIn falls outside the scope of traditional anti-phishing controls, while employees often use the platform via business devices. This creates a security blind spot that attackers cleverly exploit.

In this recent attack, the victim received a malicious link via a LinkedIn message. After clicking, the user went through three redirects via Google Search and payrails-canaccord[.]icu before a specially crafted landing page appeared, hosted on firebasestorage.googleapis[.]com. By using trusted services such as Google Firebase, attackers reduce the risk of links being detected by security tools.

The attack chain ends at a Microsoft-imitating phishing page where credentials and MFA authentication are stolen. Push detected the attack in real time while the page was loading in the browser.

Multi-level detection evasion

The attackers used various techniques to bypass automated security systems. The long redirect chain via legitimate sites (e.g., Google) forms a first layer. Many link analysis systems exclude trusted domains from scanning, allowing attackers to hide the real target effectively.

They then used Cloudflare Turnstile as bot protection. This technology requires visitors to complete a challenge before the entire page is loaded. This prevents automated scanners from analyzing the phishing content.

The attackers also randomized elements on the phishing page itself. Titles, text, images, and favicons are randomly generated to prevent static fingerprinting. Some components are even encoded in the HTML and loaded dynamically at runtime. This allows the same phishing kit to generate different signatures each time.

AiTM phishing despite MFA

The phishing page uses Adversary-in-the-Middle techniques. This allows attackers to steal sessions, even when victims have multifactor authentication enabled. After entering credentials and completing the MFA check, the attackers take over the entire Microsoft session.

With access to such a core identity account, malicious actors can not only access email and files, but also all downstream applications that are accessible via single sign-on. The impact, therefore, extends far beyond just the compromised LinkedIn account.

For organizations, this means that the threat extends beyond email attacks alone. Attackers are looking for new channels where employees expect contact requests from strangers. LinkedIn offers that opportunity.

Tip: Fake LinkedIn alerts successful with phishing, research shows

Expert Talks

Tech calendar

Stay tuned, subscribe!

imec holds the key to develop quantum applications faster

Oracle sets out to be the system of record for AI

Veeam increases data resilience with measurable and reliable security

Nexperia intervention after theft of trade secrets by CEO

Workday CTO outlines bold AI agent strategy and major acquisitions

Oracle Database @ AWS: best of both worlds?

Managing the AI chaos with ServiceNow's AI Control Tower

SAP's AI migration tools from ECC to S/4HANA: faster and cheaper ERP transitions

Three Ways Secure Modern Networks Unlock the True Power of AI

How to Safeguard and Prepare Exchange Server against Natural Disasters?

Minimizing liability is not the same as security: Lessons learned from Collin’s Aerospace cyberattack

Dell Technologies Forum

BrickCon The Databricks Community Conference

Appdevcon

Webdevcon

Dutch PHP Conference

GITEX ASIA 2026

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices