A new phishing campaign is currently spreading rapidly on LinkedIn, a professional platform dedicated to professionals and job seekers. The scam is targeting senior finance professionals with fake ‘executive board’ invitations. It uses LinkedIn’s messaging system – instead of email – which might appear legitimate, but instead, its main goal is to steal Microsoft login credentials by using a very convincing fake login page.
Senior professionals in finance and leadership positions targeted on LinkedIn
The phishing scam targets LinkedIn users, especially those who are senior professionals in finance and leadership positions. Since this is not an email-based scam but an attack entirely inside the messaging system of LinkedIn, it is much more credible and difficult to detect. Cybersecurity firm Push Security discovered and blocked the campaign during an attempted compromise.
How the LinkedIn phishing scam works:
- This is a highly focused LinkedIn DM attack from an account masquerading as a senior executive or recruiter, offering an exclusive opportunity:
- Invitation to join the “Executive Board of the Commonwealth Investment Fund” in partnership with a fictitious firm named AMCO.
- The message looks professional and is very well-written, which easily finds its bait, as professionals are trusting it easily.
Victims are then encouraged to open a ‘proposal document’, which triggers a deceptive chain of redirects:
- A Google Search result page
- A website under the control of an attacker
- A Firebase Storage link hosting the fake document
They eventually reach a spoofed Microsoft login page, which has been created using adversary-in-the-middle methods. Anything typed in there is stolen immediately.
Why is this scam hard to detect
The attackers have made the phishing page sophisticated and stealthy:
- Uses CAPTCHA and Cloudflare Turnstile to block bot scans
- Looks exactly like Microsoft’s actual login page
- Hosted on trusted platforms like Firebase for legitimacy
- Because it is a scam running inside LinkedIn DMs, many do not suspect foul play.
Why LinkedIn is becoming a major target
Push Security warns that attackers are moving away from email: Professionals trust LinkedIn messages more. Corporate credentials (Microsoft & Google accounts) are at high risk. Successful account takeovers can reveal confidential files, emails, financial data, and apps connected via single sign-on.
The firm emphasized that such attacks are very hazardous because these compromised accounts result in data breaches, financial theft, or unauthorized access to internal systems.