A new LinkedIn phishing campaign is targeting finance executives with fake board invitations to steal Microsoft credentials. The attackers are using LinkedIn’s messaging system instead of traditional email, making this a sophisticated case of social engineering that exploits trust within professional networks. 

Key Takeaways

• LinkedIn phishing is becoming a preferred method for targeting professionals.
• Fake board invites are being used to trick finance executives into entering Microsoft credentials.
• Attackers use Google redirects, Firebase pages, and Cloudflare CAPTCHA to appear trustworthy.
• AITM phishing enables them to steal both passwords and session cookies, bypassing MFA.
• Companies should treat social-network messages with the same caution as suspicious emails.

How the LinkedIn Phishing Attack Works

The campaign begins when a finance executive receives a direct message on LinkedIn inviting them to join the “Executive Board of Common Wealth Investment Fund in partnership with AMCO Asset Management.” The message looks legitimate, uses corporate tone, and often includes professional branding or board-style wording.

Once the recipient clicks the link, they are redirected several times. The first redirection uses a Google open redirect link, which adds a layer of credibility because it begins with a familiar domain. From there, the victim is sent to a fake “LinkedIn Cloud Share” page hosted on Firebase. The page looks like a standard LinkedIn document-sharing page but is designed to trick users into clicking the “View with Microsoft” button.

When the target clicks this button, they’re taken to another domain that uses a Cloudflare Turnstile CAPTCHA. This step is meant to block security scanners and create a sense of legitimacy. After completing the CAPTCHA, the victim lands on a fake Microsoft login page where they’re prompted to enter their credentials.

Credential Theft and Session Hijacking

The phishing page doesn’t just capture the username and password. It also steals session cookies from the victim’s browser. This advanced technique, known as Adversary-in-the-Middle (AITM) phishing, allows attackers to bypass multi-factor authentication (MFA). Once attackers have session tokens, they can log in to Microsoft 365 or Azure accounts without triggering MFA alerts.

By capturing these credentials and tokens, attackers gain deep access into business systems, financial records, and even internal communications. This level of access can lead to wire fraud, data theft, or further social-engineering attacks inside the organization.

Why Finance Executives Are the Target

Finance executives are often targeted because they have access to sensitive financial systems, vendor data, and investment documents. A fake board invitation sounds credible and professional, especially for senior executives who often receive genuine collaboration or leadership invitations.

This specific phishing attack works because it aligns with the typical communication style and expectations of high-ranking professionals. Instead of promising lottery winnings or job offers, the attackers mimic genuine board membership invitations, increasing the likelihood of interaction.

Technical Breakdown of the Attack Chain

1. Initial Contact: A LinkedIn message offering an invitation to join a prestigious investment fund or executive board.
2. Redirect Chain: The link in the message routes through a Google redirect before reaching the malicious site, masking its true intent.
3. Landing Page: A fake LinkedIn Cloud Share page hosted on Firebase, designed to appear legitimate.
4. CAPTCHA Step: A Cloudflare Turnstile CAPTCHA appears to add legitimacy and prevent automated scans.
5. Fake Login Page: Victims are sent to a Microsoft login clone that captures both credentials and session cookies.

Domains involved in these campaigns often use unusual top-level domains like .icu, .top, or .xyz, making them look slightly off if inspected closely.

The Rise of Non-Email Phishing

This incident marks a growing trend of non-email phishing, where attackers use platforms such as LinkedIn, Slack, or Teams to deliver lures. Studies show that a significant percentage of phishing attempts now originate from social or collaboration platforms rather than traditional email.

By using professional networking sites, attackers exploit the trust users place in verified company pages and connections. Many employees, including executives, tend to be less suspicious of messages coming from LinkedIn compared to random emails.

Why This Attack Matters

• Bypassing MFA: Stealing session cookies allows hackers to skip multi-factor authentication entirely.
• Using Legitimate Services: Hosting phishing pages on Firebase and redirecting through Google makes detection harder for security tools.
• High-Value Targets: Finance leaders hold the keys to corporate accounts, vendor payments, and internal authorizations.
• Growing Trend: LinkedIn phishing is part of a broader shift where attackers use trusted communication platforms for credential theft.

This combination of professional lures, cloud-based hosting, and MFA bypassing techniques makes the campaign particularly dangerous.

How to Identify LinkedIn Phishing Messages

Here are some red flags to help professionals spot this type of attack:

• Unexpected LinkedIn invitations for executive or board positions.
• Links with strange or unfamiliar domain endings.
• Pages asking to “View with Microsoft” or “Sign in to view document.”
• CAPTCHAs appearing before a login page, which is uncommon in legitimate workflows.
• Slight differences in LinkedIn or Microsoft branding.

Even small inconsistencies, like a different font or outdated logo, can indicate a fake page.

How Organizations Can Protect Themselves

1. Awareness Training: Educate employees and executives about LinkedIn phishing and fake board invitations.
2. Verification: Confirm any unexpected LinkedIn message through independent channels before clicking links.
3. Browser Inspection: Hover over links to check their true destination before opening them.
4. Security Controls: Use advanced email and web filters to detect redirects and block malicious domains.
5. Session Management: Regularly expire session tokens and enforce reauthentication policies.
6. Incident Monitoring: Track unusual logins in Microsoft 365, especially after LinkedIn communications.
7. Phishing Simulations: Include social-network lures in training exercises, not just email ones.

Indicators of Compromise

While domain lists evolve, these examples show what to look for:

• boardproposalmeet[.]com
• payrails-canaccord[.]icu
• sqexclusiveboarddirect[.]icu
• login.kggpho[.]icu

Organizations should block these domains and monitor network logs for similar patterns.

Broader Impact on Cybersecurity

The LinkedIn phishing campaign underscores how attackers continuously adapt their methods. They now use professional environments, legitimate platforms, and contextually believable pretexts to reach valuable targets. It’s no longer enough to secure only the inbox; security strategies must extend to all digital communication channels.

To Sum Up

The fake board invitation scam on LinkedIn shows how far phishing has evolved. Attackers no longer rely solely on emails—they exploit professional trust. Finance executives and organizations must stay alert, verify unexpected opportunities, and avoid clicking on unfamiliar links. With non-email phishing on the rise, vigilance and continuous awareness are now the best defense.