A new LinkedIn phishing campaign is targeting finance executives with fake invitations to join an exclusive board. The attack uses professional pretexts, trusted cloud platforms, and advanced phishing methods to steal login credentials and bypass multi-factor authentication.
How this LinkedIn Phishing Campaign Works
The campaign begins with a direct message on LinkedIn inviting the target to join the “Executive Board” of a supposed investment firm called Common Wealth in partnership with “AMCO – Our Asset Management.” The message appears authentic and carries the tone of a legitimate professional invitation.
Once the target clicks the embedded link, they are redirected through several legitimate-looking domains to evade suspicion. The first stop is a Google open-redirect, followed by a Firebase-hosted page resembling a LinkedIn Cloud Share document. Each step creates a sense of trust and urgency.
The victim is then prompted to view a document “via Microsoft.” That link leads to a fake Microsoft login page, hosted behind a CAPTCHA wall to seem secure. In reality, this page is an Adversary-in-the-Middle (AITM) phishing site built to capture both login credentials and session cookies. Even accounts protected by MFA can be compromised in this process.
Why Target Finance Executives?
Cybercriminals know that executives within finance departments have access to sensitive information and high-value systems. This makes them ideal targets for credential theft. By leveraging LinkedIn, attackers exploit trust in professional platforms where users are less skeptical of direct messages.
Push Security reports that phishing attempts through non-email channels have surged dramatically this year. Nearly one-third of recent phishing campaigns now take place via platforms like LinkedIn, rather than through traditional email.
Techniques That Make This Attack Effective
Several sophisticated elements make this campaign harder to detect:
- Use of legitimate services: Redirects through Google and Firebase domains disguise malicious intent.
- Social engineering through authority: The board invitation appeals to ego and career advancement.
- AITM infrastructure: Capturing session tokens allows attackers to bypass MFA protection.
- Professional channel exploitation: LinkedIn’s business-centric environment reduces suspicion.
How to Stay Protected
Companies can take several steps to defend against similar LinkedIn phishing campaigns:
- Educate employees and executives about phishing on professional networks.
- Verify all unexpected invitations or offers through secondary channels.
- Enforce conditional access and strict token-lifetime policies in Microsoft 365.
- Monitor for unusual login attempts or MFA bypass attempts.
- Block or flag domains using suspicious TLDs such as .icu or .top.
Final Thoughts
The ongoing LinkedIn phishing campaign underscores a critical shift in cybercriminal tactics. Attackers are moving beyond email, exploiting professional trust and social platforms to compromise corporate accounts. For finance executives and organisations handling sensitive data, heightened vigilance on every digital channel, not just email, has become essential.
