A new AiTM (Adversary-in-the-Middle) phishing campaign on LinkedIn is bypassing MFA to steal corporate credentials. Learn how to protect your organization from this sophisticated social engineering attack.
The New Frontier of Phishing: It’s Not Just Email Anymore
For years, we’ve been trained to spot suspicious emails. But what happens when the threat comes from a “trusted” professional network? A new, highly sophisticated phishing campaign is currently sweeping through LinkedIn, specifically targeting high-level finance executives with the promise of prestige.
Anatomy of the “Executive Board” Linkedin AiTM Scam
According to recent research by Push Security, the scam utilizes Social Engineering—the psychological manipulation of targets to gain trust.
The Professional Facade: Attackers use polished profiles with mutual connections to offer an “exclusive invitation” to join an international executive board.
The “Safe” Link: The message contains a link to a document. To bypass security scanners, the link redirects through legitimate services like Google Search and is hosted on Firebase (https://www.google.com/search?q=googleappplace.com).
The AiTM Attack: When the victim attempts to “sign in with Microsoft” to view the file, the attackers use an Adversary-in-the-Middle (AiTM) proxy. This captures credentials and Multi-Factor Authentication (MFA) tokens instantly.
Why it works? The attackers use tools like Cloudflare Turnstile to hide their malicious pages from automated security bots, making the site appear legitimate to both the user and the browser.
Why LinkedIn is Being Used by Hackers?
LinkedIn is the perfect “Goldilocks” zone for hackers: it feels personal yet corporate. Because we use the platform for networking, a message about a career milestone doesn’t trigger the same “spam” instinct that a random email would. For a finance leader, one compromised account can grant an attacker access to invoices, sensitive payroll data, and single sign-on (SSO) apps like Salesforce or Slack.
3 Ways to Protect Your Executive Team
Be Skeptical of “Exclusive” Offers: If a board seat or partnership comes out of the blue from someone you’ve never met, treat it as a red flag.
Use Hardware Security Keys: While mobile-based MFA can be intercepted in an AiTM attack, hardware keys (like YubiKeys) are significantly harder to bypass.
Rely on Password Managers: Password managers are designed to recognize the specific URL of a site. If your manager refuses to autofill your password on a familiar-looking login page, you are likely on a phishing site.
Conclusion, Corporate Zero Trust Behaviour
The New Battleground of Professional Trust This evolution in phishing marks a shift in the digital landscape: LinkedIn is no longer just a networking hub; it is a high-stakes battleground for corporate security. When hackers start using the “good guys’ tools” like Google domains and Cloudflare security to hide their tracks, the traditional red flags of typos and “weird” senders disappear. We are entering an era where scams look less like spam and more like opportunity. In this new environment, the question isn’t just whether you can trust the person in your DMs, but whether you can trust the very platform you’re standing o
Is that LinkedIn invite an opportunity, or is it bait?