Executive Summary

A highly targeted and sophisticated phishing campaign is abusing the LinkedIn platform to attack finance executives. Attackers are sending direct messages with enticing but fake invitations to join an executive board, with the ultimate goal of stealing Microsoft account credentials and session cookies, which can be used to bypass multi-factor authentication (MFA). The campaign, analyzed by Push Security, employs a multi-stage attack chain that leverages trusted services like Google and Firebase to evade detection and build credibility. This attack highlights a significant shift towards non-email-based phishing vectors, which now constitute a growing portion of social engineering threats.

Threat Overview

The attack preys on the ambition and professional networking context of LinkedIn. High-value targets, such as CFOs and VPs of Finance, receive a direct message about a lucrative opportunity to join the executive board of a fictitious investment fund. The message contains a link that initiates a carefully crafted attack chain designed to bypass both security tools and user suspicion.

1. Initial Lure: The attacker sends a personalized message via LinkedIn, inviting the target to learn more about a board position.
2. Redirection Abuse: The link in the message uses a Google open redirect. This means the URL starts with google.com, making it appear safe to click, before redirecting the user to an attacker-controlled domain.
3. Fraudulent Portal: The user lands on a fraudulent "LinkedIn Cloud Share" portal hosted on Google's Firebase service (firebasestorage.googleapis.com). Hosting on a trusted Google domain adds another layer of false legitimacy.
4. Bot Evasion: When the user tries to view the fake documents, they are presented with a Cloudflare Turnstile CAPTCHA. This step is designed to block automated security scanners and sandboxes from reaching the final phishing page.
5. Credential Theft: After solving the CAPTCHA, the user is presented with a pixel-perfect replica of a Microsoft login page. Any credentials entered are captured by the attackers. The page is also designed to capture the session cookie after a successful login, allowing the attacker to hijack the authenticated session and bypass MFA.

Technical Analysis

This campaign demonstrates a mastery of modern phishing techniques.

• Social Engineering: The attack is a classic example of T1598.003 - Spearphishing via Service, using a trusted social media platform for highly targeted outreach.
• Abuse of Trusted Services: By using Google open redirects and Firebase hosting, the attackers make their infrastructure difficult to block without impacting legitimate services. This is a form of Masquerading (T1036).
• Evasion: The use of a Cloudflare CAPTCHA is a specific evasion technique (T1480.001 - Environmental Keying) to ensure only human users see the final phishing payload.
• Session Hijacking: The goal extends beyond simple password theft to session hijacking (T1185 - Browser Session Hijacking), which is far more effective against MFA-protected accounts.

MITRE ATT&CK Techniques

• T1598.003 - Spearphishing via Service: The initial attack vector is a targeted message sent through LinkedIn.
• T1566.002 - Spearphishing Link: The message contains a malicious link designed to be clicked by the target.
• T1036.007 - Double File Extension: While not explicitly mentioned, the use of fake document portals mimics this tactic's intent to deceive.
• T1185 - Browser Session Hijacking: The ultimate goal is to steal session cookies to bypass MFA.
• T1204.001 - Malicious Link: Relies on the user clicking a malicious link within the phishing message.

Impact Assessment

If successful, this attack provides threat actors with powerful access:

• Account Takeover: Full access to the executive's Microsoft 365 account, including email, OneDrive, SharePoint, and Teams.
• Business Email Compromise (BEC): The compromised account can be used to launch highly convincing BEC attacks, such as fraudulent wire transfer requests.
• Data Exfiltration: Attackers can steal sensitive corporate data, financial reports, and strategic plans from the executive's account.
• Internal Phishing: The trusted internal account can be used to phish other employees, expanding the attacker's foothold within the organization.

IOCs

Detection & Response

• URL Analysis: Security tools should be configured to flag and analyze URLs that use open redirects, even from trusted domains like Google. This is part of D3-UA: URL Analysis.
• User Training: Educate executives and other high-risk employees about the threat of social media-based phishing. Emphasize verifying unexpected opportunities through separate, official channels. This is covered by M1017 - User Training.
• MFA with Phishing Resistance: While session hijacking can bypass some MFA, using phishing-resistant authenticators like FIDO2/WebAuthn can defeat these attacks, as they bind the session to the physical hardware token.
• Monitor for Anomalous Logins: Use SIEM and identity management tools to monitor for logins from unusual locations or IP addresses, even if credentials are valid. This is a form of D3-UGLPA: User Geolocation Logon Pattern Analysis.

Mitigation

• Implement Phishing-Resistant MFA: Prioritize the rollout of FIDO2 security keys for all high-risk users, especially executives. This is the most effective technical control against this type of attack and is a strong implementation of M1032 - Multi-factor Authentication.
• Restrict Web Content: Use web filtering and DNS security to block known malicious domains and newly registered domains. This aligns with M1021 - Restrict Web-Based Content.
• Security Awareness: Conduct regular, targeted training sessions for executives that simulate modern, multi-stage phishing attacks that originate outside of email.
• Assume Zero Trust: Treat any link, regardless of its source (email, social media, chat), as potentially untrustworthy. Encourage a culture of verification before clicking.