LinkedIn phishers target executives with fake board invitations

Hackers exploit professional networks to steal Microsoft credentials through sophisticated, multi-layered attacks

A sophisticated phishing campaign is exploiting LinkedIn's professional networking platform to target finance executives with fake invitations to join a fabricated investment fund's executive board.

Cybersecurity firm Push Security uncovered the campaign after blocking one of the attacks in recent weeks.

According to researchers, the campaign uses LinkedIn's direct messaging feature to lure high-level professionals into clicking malicious links disguised as legitimate business opportunities.

The attack begins with a LinkedIn message that appears to come from an investment fund named Common Wealth, claiming to be in partnership with AMCO Asset Management.

The message, seen by BleepingComputer, reads: "I'm excited to extend an exclusive invitation for you to join the Executive Board of Common Wealth investment fund in South America in partnership with AMCO - Our Asset Management branch, a bold new venture capital fund launching an Investment Fund in South America."

The message encourages recipients to click a link to "learn more" about the opportunity.

But the link is anything but legitimate.

According to Push Security, victims are first redirected through a Google open redirect, a common technique that leverages trusted domains to bypass traditional security filters, before being sent to an attacker-controlled website.

From there, the victim is taken to a fake "LinkedIn Cloud Share" portal hosted on firebasestorage.googleapis[.]com, a legitimate Google service often abused by cybercriminals for phishing and malware delivery.

The fraudulent landing page mimics a secure LinkedIn document-sharing portal, complete with fake investment documents and responsibilities associated with the supposed board position.

However, clicking any document triggers an alert prompting users to "View with Microsoft."

Doing so redirects them again – this time to login.kggpho[.]icu – where a Cloudflare Turnstile CAPTCHA appears.

Push Security researchers say the CAPTCHA serves a crucial purpose: it prevents automated security scanners from detecting the malicious site. Only after solving the CAPTCHA does the final stage load, a convincing imitation of a Microsoft login page.

Behind the scenes, attackers deploy an Adversary-in-the-Middle (AITM) phishing framework designed to steal both Microsoft credentials and active session cookies, allowing them to bypass multi-factor authentication (MFA).

Attackers hide in plain sight

"Phishing attacks are no longer confined to the inbox," warned Adam Bateman, CEO of Push Security.

"Attackers are meeting employees everywhere they work and communicate - including apps like LinkedIn - and they're hiding in plain sight behind trusted domains that traditional defences are programmed to ignore."

The malicious domains uncovered in this campaign include payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu, according to Push Security and BleepingComputer.

Push Security reports that phishing via professional and social platforms is sharply increasing.

"Over the past month, about 34% of the phishing attempts we've tracked have come through places like LinkedIn and other non-email channels - up from under 10% three months ago," said Jacques Louw, the company's chief product officer.

"Attackers are getting smarter about where people actually communicate and how to effectively target them - and defenders need to keep up."

This latest operation marks the second major LinkedIn phishing campaign uncovered by Push Security in just six weeks. A previous campaign in September targeted technology executives using a similar method.

Experts warn professionals, especially executives, to be cautious about unexpected messages on LinkedIn, particularly those offering lucrative business opportunities or board invitations.

Users are advised to:

• Verify the sender's identity before responding to unsolicited offers.
• Avoid clicking links in direct messages unless their authenticity can be confirmed.
• Scrutinise web domains, especially those with uncommon top-level domains (TLDs) like .icu, .xyz and .top, which are often associated with scams.

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.