Push Security Identifies Surge in Sophisticated LinkedIn-based Phishing Campaigns
October 30, 2025
Attackers are increasingly chaining legitimate Google and Microsoft services to mask phishing lures, bypassing traditional detection methods
BOSTON — Oct. 30, 2025 — Push Security, a leader in browser-based detection and response, today announced the discovery of a LinkedIn-based phishing campaign that reflects a broader and accelerating trend: attackers are moving beyond email to target business users through social platforms like LinkedIn, while leveraging legitimate cloud services to disguise their attacks.
In this latest campaign, intercepted by Push’s browser-native security platform, the attackers used a complex series of redirects through trusted Google and Microsoft services — including Google Search, Firebase, and Microsoft Dynamics — before landing victims on a credential-stealing page impersonating Microsoft.
“Phishing attacks are no longer confined to the inbox,” said Adam Bateman, CEO of Push Security. “Attackers are meeting employees everywhere they work and communicate — including apps like LinkedIn — and they’re hiding in plain sight behind trusted domains that traditional defenses are programmed to ignore.”
A Growing Trend: LinkedIn as a Phishing Channel
Push’s researchers have observed a sharp increase in phishing lures sent through **LinkedIn direct messages, exploiting the fact that the platform is widely used for legitimate professional outreach but falls outside the visibility of traditional enterprise email security tools. This is the second LinkedIn-targeted campaign identified by Push in recent months, suggesting that attackers are increasingly viewing the platform as a reliable route to reach high-value targets such as executives, sales leaders, and hiring managers.
Because LinkedIn sits outside enterprise phishing filters and other traditional cybersecurity solutions, attackers are able to initiate contact, send malicious links, and socially engineer victims with fewer barriers,” said Jacques Louw, chief product officer at Push Security. “The result is a blind spot in enterprise visibility and control, leaving employees exposed even on devices managed by corporate IT.
Legitimate Services Used to Evade Detection
In this campaign, the attackers used a multi-layered redirect chain involving legitimate cloud services — such as Google Sites, Google Search, Firebase, and Microsoft Dynamics — to mask the destination of malicious links. By embedding redirects through reputable domains, attackers can dramatically reduce the likelihood of their links being flagged or blocked by automated tools.
Attackers also deployed Cloudflare Turnstile bot protection to prevent automated analysis of their phishing sites, and used page obfuscation techniques — randomizing visual elements, titles, and code structures — to defeat detection signatures.
“These tactics are becoming increasingly common in the phishing ecosystem and reflect just how well attackers understand how modern defenses operate,” said Louw. “We’re seeing adversaries take advantage of the trust placed in legitimate services like Google and Microsoft to build redirect chains that hide their activity. This level of sophistication means phishing is becoming increasingly difficult to detect and stop for most organizations.”
From LinkedIn Chat to Credential Theft
The attack sequence began with a LinkedIn direct message containing a seemingly benign link. After a series of redirects through legitimate platforms, the victim was presented with a Microsoft-branded “view document” page protected by a Cloudflare Turnstile challenge. Once completed, the victim was served an adversary-in-the-middle (AiTM) phishing page designed to steal the user’s Microsoft session, bypassing controls like MFA.
The rise of social media–delivered phishing campaigns underscores a broader shift in attacker strategy. As defenses around corporate email improve, adversaries are turning to less-guarded communication channels — and coupling them with legitimate cloud services — to maximize reach and minimize detection.
Push researchers expect this trend to continue, with future phishing operations blending across channels and platforms that sit outside traditional enterprise security visibility.
Push Security’s Advantage: Real-Time, Browser-Based Detection
Push Security detected and blocked the attack in real time by identifying the malicious activity in the user’s browser session—where the attack actually unfolds—rather than relying on URL reputation, email scanning, or threat intelligence feeds.
“These campaigns show how attackers are bypassing every traditional control point — email gateways, link scanners, domain filters — by abusing the same trusted tools that enterprises rely on,” said Louw. “Push protects users in real-time in the browser, no matter how or where malicious content reaches the user.”
Push’s browser-native platform identifies and blocks a wide range of browser-based attacks, including AiTM phishing, credential stuffing, session hijacking, and password reuse. Beyond detection, Push also helps organizations harden their identity attack surface by uncovering security gaps such as unmanaged logins, weak MFA coverage, and risky OAuth integrations.
For more details on this campaign, check out our research blog post here.
About Push Security
Push Security brings real-time detection and response to the layer where users work — and where attackers operate, the browser. By deploying a powerful agent inside the browser, Push gives defenders full visibility into user activity, attacker behavior, and session-level risk. It detects threats like phishing kits and session hijacking, enforces protective controls like MFA and SSO, and provides the telemetry security teams need to investigate fast. Think of Push as being like EDR, but in the browser. Push was founded by former red team members skilled in offensive security and security operations and is backed by Decibel, GV (Google Ventures), Redpoint Ventures, Datadog Ventures, B3 Capital and other notable angel investors. For more information, visit https://pushsecurity.com or follow @pushsecurity.
