Attackers use fake investment offers and advanced spoofing tactics to steal Microsoft credentials from high-value professionals.
A New Breed of Social Engineering
A new phishing campaign has surfaced on LinkedIn, targeting senior finance executives through what appears to be exclusive, high-value invitations. The scheme, uncovered by cybersecurity firm Push Security, marks a shift in how attackers pursue sensitive corporate data — moving from email-based phishing to social platforms that convey a sense of professional legitimacy.
The attackers, posing as representatives of a “Commonwealth investment fund in South America,” reach out to targets with a convincing pitch: an offer to join an executive board in partnership with a fictitious venture capital firm. The message, written in formal corporate language, tempts recipients with what sounds like a career milestone — but behind it lies a complex web of digital deception.
The Anatomy of a LinkedIn Attack
The trap begins when a victim clicks on the link included in the invitation. What follows is a series of redirections — first through Google Search, then to a server controlled by the attacker, and finally to a page hosted on firebasestorage.googleapis[.]com. This final page, styled to appear authentic, urges the user to review or download a document via Microsoft.
Once clicked, the victim is routed to a custom-designed adversary-in-the-middle (AiTM) phishing site — a nearly identical clone of Microsoft’s login page. By entering their credentials, the user unknowingly hands over access to the attackers, who can then bypass multi-factor authentication and infiltrate corporate systems.
Shifting Targets and Broader Risks
Push Security notes that this campaign represents a clear evolution in phishing tactics. Attackers are now exploiting social media platforms like LinkedIn rather than traditional email channels, blurring the line between professional networking and cyber exploitation.
“Just because the attack happens over LinkedIn doesn’t lessen the impact,” the firm warned.
“These are corporate credentials being targeted, even if it’s a ‘personal’ app. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any connected systems via single sign-on.”
Defenses and Evasion Techniques
The attackers’ infrastructure reveals a high degree of technical sophistication. According to Push Security, they employ common anti-bot technologies such as CAPTCHA and Cloudflare Turnstile — not to protect users, but to prevent automated scanners and security tools from flagging their pages. This allows phishing sites to remain online longer and evade early detection.
The firm’s analysts stress that organizations must adapt their defenses to include social platforms in their threat monitoring strategies. As phishing evolves from inboxes to newsfeeds, vigilance — once focused on suspicious emails — must now extend to direct messages, job offers, and professional invitations that look legitimate but conceal digital traps.
