CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

LinkedIn Phishing Campaigns Targeting Enterprises

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

LinkedIn has become a prominent platform for phishing attacks, with 34% of phishing attacks occurring over non-email channels. Attackers are conducting sophisticated spear-phishing campaigns targeting executives in financial services and technology sectors. These attacks bypass traditional security tools, are cost-effective and scalable for attackers, provide easy access to high-value targets, and have significant potential rewards. The nature of LinkedIn makes it easier for users to fall for these attacks, as they expect to interact with external contacts. The impact of these attacks can be severe, potentially leading to multi-million dollar breaches. Organizations need to adopt comprehensive security measures to detect and block phishing across all apps and delivery vectors. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA. Attackers are hijacking legitimate LinkedIn accounts to launch phishing campaigns, exploiting the lack of MFA on these accounts. LinkedIn phishing attacks target core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. A single account compromise can snowball into a multi-million dollar, business-wide breach.

Timeline

  1. 10.11.2025 17:01 2 articles · 7d ago

    LinkedIn Phishing Campaigns Targeting Enterprises

    LinkedIn has become a prominent platform for phishing attacks, with 34% of phishing attacks occurring over non-email channels. Attackers are conducting sophisticated spear-phishing campaigns targeting executives in financial services and technology sectors. These attacks bypass traditional security tools, are cost-effective and scalable for attackers, provide easy access to high-value targets, and have significant potential rewards. The nature of LinkedIn makes it easier for users to fall for these attacks, as they expect to interact with external contacts. The impact of these attacks can be severe, potentially leading to multi-million dollar breaches. Organizations need to adopt comprehensive security measures to detect and block phishing across all apps and delivery vectors. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA. Attackers are hijacking legitimate LinkedIn accounts to launch phishing campaigns, exploiting the lack of MFA on these accounts. LinkedIn phishing attacks target core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. A single account compromise can snowball into a multi-million dollar, business-wide breach.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phishing campaign targets finance executives with fake LinkedIn board invites

A phishing campaign is targeting finance executives via LinkedIn, using fake board invitations to steal Microsoft credentials. The attack begins with a LinkedIn message containing a malicious link. The campaign uses multiple redirects, including a Google open redirect and a custom landing page hosted on Firebase. The final stage involves a fake Microsoft login page designed to capture credentials and session cookies. The campaign was detected by Push Security, which observed an increase in phishing attempts through online services like LinkedIn. This is the second such campaign targeting executives on LinkedIn in the past six weeks.

Open in new tab

Modern web browsers as primary attack surface in enterprise infrastructure

Modern web browsers have become critical components of enterprise infrastructure, but also a primary attack surface for identity-based intrusions, SaaS abuse, and session hijacking. On September 29th at 12:00 PM ET, a webinar will be held to discuss the evolving threat landscape targeting corporate browsers and how attackers compromise accounts, steal data, and bypass traditional defenses. The webinar will focus on real-time detection and response platforms to mitigate these risks. The webinar, titled "Your Browser Is the Breach: Securing the Modern Web Edge", will be co-hosted by BleepingComputer and SC Media, with experts from Push Security. The event aims to educate security professionals on the tactics used by attackers, such as malicious extensions, session token theft, and OAuth abuse, and provide strategies to detect and defend against these threats.

Open in new tab

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Open in new tab

Microsoft 365 logins stolen via ADFS redirects in phishing campaign

A phishing campaign has been observed using legitimate ADFS redirects to steal Microsoft 365 logins. The attackers exploit trusted Microsoft infrastructure to bypass URL-based detection and multi-factor authentication, redirecting users from legitimate office.com links to phishing pages. The campaign targeted multiple organizations, starting with malicious sponsored links in Google search results. The attackers set up a custom Microsoft tenant with ADFS configured, allowing them to receive authorization requests and authenticate users on the phishing page. The phishing site was disguised with fake blog posts and conditional loading restrictions to evade detection and ensure only valid targets accessed the phishing page.

Open in new tab