A new LinkedIn-based phishing campaign is targeting finance leaders and senior executives, using a highly sophisticated social engineering tactic to steal Microsoft login credentials. Unlike traditional phishing attempts that rely on malicious emails, this campaign operates entirely within LinkedIn’s messaging system, making it harder to detect and block through conventional security filters.
The campaign was uncovered by Push Security, which reported detecting and preventing a high-risk phishing attack that sought to compromise the accounts of targeted professionals. According to the cybersecurity firm, the attackers are leveraging LinkedIn’s trust-based ecosystem to approach high-value individuals in leadership roles, particularly those in the finance and investment sectors.
Here’s how the scheme unfolds: victims receive a direct message on LinkedIn from what appears to be a legitimate business profile. The attacker poses as a representative of an investment organization and extends an exclusive invitation to join a newly launched financial board.
“I’m excited to extend an exclusive invitation for you to join the Executive Board of the Commonwealth investment fund in South America in partnership with AMCO – Our Asset Management branch, a bold new venture capital fund launching an Investment Fund in South America,” the fraudulent message reads, mimicking professional corporate language to establish credibility.
Once the recipient expresses interest, the attackers share a link to a fake login page resembling Microsoft’s authentication portal. Unsuspecting victims who input their credentials unknowingly hand over their usernames and passwords to the threat actors, granting them potential access to sensitive corporate systems and data.
Cybersecurity experts have warned that such LinkedIn phishing tactics are becoming more common as attackers shift from email-based scams to social networking platforms, where users are less suspicious of direct, professional messages.
Push Security’s findings underscore the need for organizations to strengthen user awareness and implement multi-factor authentication (MFA) to safeguard against identity-based attacks. As threat actors continue to evolve their techniques, experts emphasize that even well-informed professionals are not immune to social engineering exploits crafted to exploit trust and professional curiosity.
