A new phishing campaign is targeting LinkedIn users, specifically senior finance professionals, through fake executive board offers designed to steal Microsoft login credentials. Unlike traditional phishing emails, this attack unfolds entirely within LinkedIn’s messaging system, making it more convincing and harder to detect.
The campaign was uncovered by cybersecurity firm Push Security, which recently intercepted and blocked one of these high-risk attempts.
How the LinkedIn phishing scam works
Victims are first contacted via LinkedIn direct message by what appears to be a legitimate executive or recruiter. The message extends a formal invitation to join the “Executive Board of the Commonwealth Investment Fund,” a supposedly prestigious venture capital initiative linked to a fictional asset management firm named “AMCO.”
The message reads: “I'm excited to extend an exclusive invitation for you to join the Executive Board of the Commonwealth Investment Fund in South America, in partnership with AMCO — our asset management branch, a bold new venture capital fund launching in the region.”
The offer appears lucrative and credible, encouraging recipients to review an attached “proposal” document to proceed. However, clicking the link triggers a series of redirects — starting with a Google Search result, then to an attacker-controlled website, and finally to a landing page hosted on firebasestorage.googleapis[.]com.
Once there, victims are prompted to open a document via Microsoft, which leads them to a realistic fake Microsoft login page built using an adversary-in-the-middle (AiTM) setup. Any credentials entered on this page are instantly captured by the attacker.
Push Security noted that the attackers use CAPTCHA and Cloudflare Turnstile verification tools to block automated scans by cybersecurity bots — allowing their phishing pages to evade detection.
The company warned that this reflects a broader trend: phishing campaigns are increasingly moving away from email to professional social platforms like LinkedIn, where targets are more trusting and less suspicious.
“Just because the attack happens over LinkedIn doesn’t lessen the impact,” Push Security said. “These are corporate credentials being targeted. Taking over a Microsoft or Google account can have severe consequences, exposing sensitive data and any linked applications accessed via single sign-on.”
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
