Find notable cyber news and cases, enriched with sources, timelines, and signals.

Common Wealth LinkedIn board-invitation phishing campaign targeting finance executives

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

The Common Wealth phishing operation is targeting finance executives on LinkedIn with fake executive board invitations and browser-based credential theft. The lure uses direct messages, a Google open redirect, and attacker-controlled redirects to reach a fake Microsoft login flow. The landing pages use Cloudflare Turnstile to slow analysis and then capture credentials and session cookies through an AITM phish. The activity is notable because it is the second LinkedIn executive-phishing campaign in six weeks, indicating sustained operation continuity.

Related Happenings

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
H score33 First: 03.06.2026 19:29 Last: 03.06.2026 19:29 Sources 1

About this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...

Ghost Stadium FIFA World Cup fraud campaign

Campaign
H score41 First: 27.05.2026 14:28 Last: 27.05.2026 14:28 Sources 1

About this happening: A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...

Google sponsored search ManageWP phishing campaign

Campaign
H score13 First: 07.05.2026 00:36 Last: 07.05.2026 00:36 Sources 1

About this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
H score31 First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Timeline

  1. 30.10.2025 15:00 2 articles · 8mo ago

    LinkedIn board-invitation phishing targets finance executives

    Initial Disclosure

    Finance executives are being targeted on LinkedIn with direct-message phishing lures that impersonate executive board invitations for a newly created Common Wealth investment fund. The phishing flow begins with a malicious link, uses a Google open redirect and attacker-controlled redirects to reach a Firebase-hosted page on firebasestorage.googleapis[.]com, presents a fake "LinkedIn Cloud Share" document portal, and then sends the victim to login.kggpho[.]icu where Cloudflare Turnstile is used before a fake Microsoft login page steals credentials and session cookies through an Adversary-in-the-Middle phish. Push Security says it recently blocked one of the attacks and identified related domains including payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu.

    Show sources