Full Report
Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations, aiming to steal their Microsoft credentials. [...]
Analysis Summary
# Tool/Technique: AITM Phishing via LinkedIn Direct Messages
## Overview
This technique involves threat actors abusing LinkedIn's direct messaging feature to target finance executives. The attack impersonates an invitation to join an executive board for a fictitious investment fund ("Common Wealth"), using an elaborate redirect chain culminating in an Adversary-in-the-Middle (AITM) phishing page designed to steal Microsoft credentials and session cookies.
## Technical Details
- Type: Technique
- Platform: Web browsers (targeting users accessing LinkedIn and subsequent Microsoft authentication pages)
- Capabilities: Impersonation of legitimate business opportunities, multi-step URL redirection, employment of bot protection measures (CAPTCHA), and credential/session cookie harvesting via an AITM setup.
- First Seen: Recently (as of October 30, 2025, according to the article context).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Applicable conceptually as malicious links delivered via direct message)
- T1598 - Tailored Deception
- T1598.003 - Social Media
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.005 - Credentials from Web Session Cookie (Relevant due to AITM capturing session cookies)
## Functionality
### Core Capabilities
- **Social Engineering:** Crafting convincing lures using executive-level professional opportunities (e.g., Executive Board invitations).
- **URL Redirection:** Utilizing multiple redirects, starting with Google open redirects, to obscure the final malicious payload destination.
- **Credential Harvesting:** Presenting a convincing fake Microsoft login page to capture usernames and passwords.
### Advanced Features
- **Environment Evasion:** Implementing Cloudflare Turnstile CAPTCHA to prevent automated security scanners and bots from analyzing the final phishing landing page.
- **Adversary-in-the-Middle (AITM):** Deploying an AITM setup to capture session authentication data in addition to simple login credentials.
- **Hosting Strategy:** Using legitimate, though often abused, infrastructure like `firebasestorage.googleapis[.]com` for hosting intermediate landing pages.
## Indicators of Compromise
- **File Hashes:** N/A (This is a web-based phishing campaign, not file execution initially).
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- Initial Lure Domains: `payrails-canaccord[.]icu`, `boardproposalmeet[.]com`, `sqexclusiveboarddirect[.]icu`
- Redirect Chain Intermediate: `login.kggpho[.]icu` (Houses the AITM login page)
- Intermediate Hosting: `firebasestorage.googleapis[.]com` (Used for the fake "LinkedIn Cloud Share" portal)
- **Behavioral Indicators:**
- Unsolicited LinkedIn direct messages offering exclusive investment board roles.
- Redirection chains involving reputable services (Google) leading to suspicious TLDs (.icu).
- Presentation of a CAPTCHA challenge followed by a Microsoft login prompt outside of official Microsoft domains.
## Associated Threat Actors
The article does not name a specific threat actor group but attributes the campaign to "Hackers" tracked by Push Security, which noted this is the second such campaign targeting executives on LinkedIn in recent weeks.
## Detection Methods
- **Signature-based detection:** Monitoring for the malicious domains listed above.
- **Behavioral detection:** Detecting sequences of web redirects originating from social media platforms leading to credential harvesting environments (especially those using AITM techniques).
- **YARA rules if available:** N/A (Not provided in the context).
## Mitigation Strategies
- **Prevention measures:** Users must be trained to be highly suspicious of unsolicited business opportunities or board invitations received via LinkedIn direct messages.
- **Hardening recommendations:** Implement Multi-Factor Authentication (MFA) policies that are resilient to session cookie theft (e.g., phishing-resistant MFA methods, though this is not explicitly mentioned for the targeted Microsoft accounts). Avoid clicking links in unexpected direct messages until the sender's identity is verified through an out-of-band channel.
- **Network Filtering:** Flag or block connections to newly registered domains utilizing uncommon TLDs like .icu, .top, and .xyz arriving from social media contexts.
## Related Tools/Techniques
- Adversary-in-the-Middle (AITM) Phishing Kits (General technique)
- Social Media Phishing/Business Email Compromise (BEC) variants targeting professionals.
- Use of legitimate cloud storage services (like Firebase Storage) to host parts of the malicious infrastructure.