Outlook Business Desk
Cybersecurity firm Push Security has discovered a new phishing campaign on LinkedIn. Hackers are targeting finance leaders through direct messages, aiming to steal Microsoft login credentials using fake investment fund invitations that appear professional and convincing at first glance.
Instead of mass emails, attackers now message select executives on LinkedIn. By leveraging the site’s professional context and authoritative tone, they build credibility first, making targets more likely to click links that lead to sophisticated credential-harvesting pages.
Victims get messages inviting them to join the executive board of a fake “Commonwealth Investment Fund” tied to “AMCO Asset Management.” The invitation appears prestigious, tempting finance leaders to click the attached link and unknowingly fall into the phishing trap.
The invitation contains a document link that, when opened, funnels victims through Google Search, then an attacker-controlled site before landing on a counterfeit page hosted on Firebase. The page mimics Microsoft’s document viewer to trick users into signing in.
The final landing page is a near-perfect replica of Microsoft’s login screen. Targets are asked to sign in to access the document; when they do, an adversary-in-the-middle captures the credentials, allowing attackers to take over accounts and linked services.
Push Security observed attackers deploying CAPTCHAs and Cloudflare Turnstile to keep automated security crawlers out. By filtering bot traffic, these measures delay detection and allow phishing pages to remain live longer before analysts can flag and take them down.
Push Security noted a rise in phishing through social platforms. Attackers now use LinkedIn’s professional network to reach decision-makers directly, exploiting trust within business circles to steal credentials and access sensitive company data.
Push Security also cautioned that while LinkedIn feels personal, stolen Microsoft or Google credentials can unlock sensitive corporate data. Such breaches can spread through linked applications and systems accessed via single sign-on, putting entire organisations at serious risk.