LinkedIn Phishing Campaign Targets Finance Executives With Fake Board Invitations

A sophisticated phishing campaign is exploiting LinkedIn to target high-level finance executives with fake invitations to join a fabricated investment fund's executive board, aiming to steal Microsoft login credentials. The scam begins with LinkedIn direct messages that mimic legitimate board invitations from a fictitious "Common Wealth" investment fund in partnership with AMCO Asset Management, enticing victims to click malicious links. These links lead through multiple redirects, including Google open redirects, before landing on a fake "LinkedIn Cloud Share" portal hosted on Firebase, which contains bogus documents related to the fake board position. Clicking on these documents triggers a prompt to "View with Microsoft," redirecting users to phishing pages that imitate Microsoft login portals and use Cloudflare Turnstile CAPTCHA to evade automated detection and harvest credentials and session cookies. Attackers use tactics such as typosquatting, randomized page elements, and trusted services like Google Firebase to bypass traditional security filters and avoid detection by link analysis systems. This campaign highlights the increasing use of LinkedIn as a vector for phishing attacks, exploiting trust in professional networking environments and creating a security blind spot for enterprises.