LinkedIn users targeted in sophisticated phishing campaign to steal Microsoft credentials

Cybersecurity firm Push Security has uncovered a new LinkedIn-based phishing campaign that impersonates investment recruiters to steal Microsoft login details from finance executives using advanced evasion tactics

LinkedIn users, particularly those in finance and executive roles, are being targeted in a highly sophisticated phishing campaign designed to steal Microsoft account credentials. The scheme, uncovered by Push Security, uses direct LinkedIn messages instead of traditional phishing emails, marking a dangerous shift in how cybercriminals approach high-value targets.

A fake “investment fund” lures executives

According to Push Security, attackers are reaching out to victims through seemingly authentic LinkedIn profiles posing as recruiters from a fictitious “Commonwealth Investment Fund.” The message, written in a professional tone, invites executives to join an exclusive “Executive Board” for a new venture capital initiative in South America.

The invitation appears prestigious, creating a sense of legitimacy and urgency. However, the message also includes a link to review a supposed “proposal document.” Once clicked, the link redirects users through multiple layers — first via Google Search results, then through a malicious website, and finally to a fraudulent landing page hosted on firebasestorage.googleapis[.]com.

Advanced techniques to evade detection

Victims are eventually led to a fake Microsoft login page—an adversary-in-the-middle (AiTM) setup designed to harvest credentials. Once a user enters their Microsoft details, the attacker gains immediate access to their corporate identity and potentially connected systems.

Push Security noted that the attackers are using bot protection tools like CAPTCHA and Cloudflare Turnstile to block automated detection systems, making it harder for cybersecurity filters to identify and flag the phishing sites.

The firm warned that social media platforms are becoming prime attack vectors, as threat actors increasingly move away from traditional email-based phishing.

“Just because the attack happens over LinkedIn doesn’t make it less dangerous,” Push Security cautioned. “Corporate credentials are at stake, and compromising one account can expose entire business ecosystems.”

Cyber experts advise organizations to train employees to recognize social media-based phishing attempts, verify recruiter profiles carefully, and use multi-factor authentication (MFA) to mitigate credential theft risks.