Push Security, a leading innovator in browser-based detection and response, has uncovered a new wave of phishing attacks exploiting LinkedIn as a primary delivery channel. The campaign reflects a growing trend where cybercriminals are shifting away from traditional email-based attacks to target professionals directly through social platforms, using trusted cloud services to conceal their activity.

“These tactics are becoming increasingly common in the phishing ecosystem and demonstrate how deeply attackers understand the mechanisms of modern security defenses,” said Jacques Louw, Chief Product Officer at Push Security.

Attackers Exploit Trusted Platforms to Evade Detection

According to Push Security’s browser-native protection platform, the latest campaign employed a sophisticated sequence of redirects through Google and Microsoft services — including Google Search, Firebase, and Microsoft Dynamics — before leading victims to a fake Microsoft login page engineered to steal credentials.

“Phishing is no longer confined to the inbox,” warned Adam Bateman, CEO of Push Security. “Attackers are adapting by engaging employees directly within professional applications like LinkedIn, while hiding behind legitimate domains that traditional security systems often overlook.”

Cyber Technology Insights : Astrix Security Recognized on Fortune Cyber 60 List for Breakthrough Innovation in AI Agent Security

LinkedIn Emerges as a Growing Phishing Vector

Push Security’s researchers report a sharp increase in phishing messages delivered via LinkedIn direct messaging — an environment widely used for genuine professional outreach but largely invisible to traditional enterprise email defenses.

This is the second major LinkedIn phishing campaign identified by Push in recent months, signaling that threat actors increasingly view the platform as an effective channel for reaching high-value business targets, such as executives, recruiters, and sales professionals.

“Because LinkedIn operates outside conventional enterprise filters, attackers can send malicious links and social-engineer victims without triggering the same scrutiny,” explained Louw. “It’s effectively a blind spot in enterprise visibility and control, even on managed corporate devices.”

Abuse of Legitimate Cloud Services

To obscure the attack’s true destination, the adversaries relied on a multi-layered redirect chain that passed through multiple legitimate domains, including Google Sites, Google Search, Firebase, and Microsoft Dynamics. Embedding these trusted services within the attack flow helped attackers avoid detection by automated URL scanners and filtering tools.

Further complicating analysis, attackers incorporated Cloudflare Turnstile bot protection to block automated detection systems and used dynamic obfuscation techniques, such as randomizing web page titles, layouts, and source code structures.

“These evasion tactics show how well adversaries exploit the inherent trust in platforms like Google and Microsoft,” added Louw. “Their sophistication makes these phishing campaigns harder than ever for organizations to detect and stop.”

From LinkedIn Chat to Compromised Credentials

The attack sequence typically began with a LinkedIn message containing what appeared to be an innocuous link. After multiple redirects through legitimate sites, the target encountered a Microsoft-branded “view document” page protected by a Cloudflare Turnstile challenge.

Once the challenge was completed, victims were redirected to an adversary-in-the-middle (AiTM) phishing page, designed to capture Microsoft credentials and active sessions, effectively bypassing multi-factor authentication (MFA) protections.

This evolving strategy illustrates how phishing has expanded beyond corporate email, as attackers increasingly exploit social and cloud ecosystems to increase success rates while evading traditional enterprise defenses.

Cyber Technology Insights : PQShield and Carahsoft Partner to Deliver Advanced Post-Quantum Cryptography Solutions

Browser-Based Defense: Push Security’s Edge

Push Security successfully detected and blocked the attack in real time, leveraging its browser-native protection technology. Unlike traditional email scanners or reputation-based URL defenses, Push’s platform identifies and mitigates malicious behavior directly within the browser session, where the threat actually unfolds.

“These campaigns highlight how attackers are bypassing every legacy control — from email gateways to domain filters — by leveraging the same trusted tools that enterprises rely on,” said Louw. “Push delivers protection at the point of attack, ensuring users are safe no matter where malicious content originates.”

Protecting the Modern Workforce

Push Security’s platform provides real-time visibility and defense against a wide range of browser-based attacks, including AiTM phishing, credential theft, session hijacking, and password reuse. Beyond active protection, the solution also strengthens an organization’s identity security posture by identifying unmanaged logins, weak MFA coverage, and risky OAuth integrations that expose businesses to compromise.

As phishing campaigns increasingly blend across email, social media, and cloud environments, Push Security warns that organizations must evolve their defenses beyond traditional boundaries.

“Attackers are meeting employees everywhere they work and communicate,” concluded Bateman. “By protecting users directly in the browser, we’re closing one of the last major gaps in enterprise cybersecurity.”

Cyber Technology Insights : Rapid7 Boosts Exposure Remediation with AI-Driven Risk Insights and Smarter Vulnerability Intel

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com