Executive Summary

Date: October 30, 2025

A highly sophisticated phishing campaign is currently targeting finance executives through LinkedIn direct messages, leveraging fake board invitations as a lure. The attackers impersonate reputable investment funds and asset management branches, enticing high-value targets such as CFOs, VPs, and directors to engage with malicious links. The primary objective is to harvest Microsoft credentials and session cookies using advanced adversary-in-the-middle (AITM) techniques. This campaign is notable for its use of trusted cloud services, multiple redirection layers, and anti-automation mechanisms, making detection and mitigation particularly challenging. The threat landscape is evolving rapidly, with a significant increase in phishing attempts via non-email channels, underscoring the urgent need for heightened vigilance and robust technical controls.

Technical Information

The current campaign, first reported by BleepingComputer and analyzed by Push Security on October 30, 2025, exemplifies the convergence of social engineering, cloud abuse, and advanced phishing tactics. The attackers initiate contact through LinkedIn direct messaging, targeting finance executives with a personalized invitation to join the executive board of a fictitious investment fund, often named "Common Wealth" and allegedly in partnership with a legitimate-sounding entity such as AMCO (Asset Management branch). The message is crafted to appeal to the recipient’s professional ambitions and sense of exclusivity, increasing the likelihood of engagement.

Upon receiving the message, the victim is presented with a link purportedly leading to more information about the board opportunity. This link is not direct; instead, it employs a Google open redirect, a technique that leverages the trust users place in Google domains to mask the true destination. The initial redirect leads to an attacker-controlled intermediary site, which then forwards the victim to a custom landing page hosted on firebasestorage.googleapis[.]com, a legitimate Firebase cloud storage domain. This use of trusted cloud infrastructure is a deliberate tactic to bypass security filters and increase the perceived legitimacy of the phishing attempt.

The landing page is designed to mimic a "LinkedIn Cloud Share" portal, complete with branding and document links related to the supposed board position. When the victim attempts to access any of these documents, they are prompted to "View with Microsoft," which initiates a redirection to login.kggpho[.]icu. This domain is protected by a Cloudflare Turnstile CAPTCHA, an anti-bot mechanism that prevents automated security scanners from easily analyzing the phishing site. After passing the CAPTCHA, the victim is presented with a highly convincing fake Microsoft login page.

The core of the attack is the use of adversary-in-the-middle (AITM) phishing. Unlike traditional credential phishing, AITM attacks intercept the authentication process in real time, capturing not only the victim’s username and password but also session cookies. These session cookies can be used to bypass multi-factor authentication (MFA), granting the attacker persistent access to the victim’s Microsoft 365 or Azure AD environment. This technique represents a significant escalation in the threat posed by phishing, as it undermines one of the most widely adopted security controls in the enterprise sector.

The campaign’s infrastructure is robust and dynamic. Domains such as payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu are used as part of the redirection chain, while firebasestorage.googleapis[.]com serves as the hosting platform for malicious content. The use of Cloudflare services further complicates attribution and takedown efforts, as it provides an additional layer of obfuscation and protection for the attacker’s assets.

According to Push Security, 34% of recent phishing attempts have been delivered via non-email channels such as LinkedIn, a dramatic increase from 10% just three months prior. This shift reflects a broader trend in the threat landscape, as attackers seek to exploit the trust and immediacy of professional networking platforms. The current campaign is the second of its kind in six weeks, with a previous wave targeting technology executives using similar tactics.

Community reports on platforms such as Reddit (r/pwnhub) and LinkedIn have corroborated the findings of security researchers, with multiple professionals warning about the prevalence of fake board invitations and recruiter scams. The campaign has been mapped to several MITRE ATT&CK techniques, including T1566.002 (Phishing: Spearphishing via Service) for the use of LinkedIn direct messages, T1557 (Man-in-the-Middle) for AITM phishing, and T1110.003 (Brute Force: Credential Stuffing) as a potential follow-up if credentials are harvested.

While no specific advanced persistent threat (APT) group has been definitively linked to this campaign, the tactics, techniques, and procedures (TTPs) are consistent with those employed by financially motivated groups such as TA505 and FIN7. These groups are known for targeting high-value individuals in the financial sector, often leveraging sophisticated phishing and credential theft operations as initial access vectors.

The attack does not exploit a software vulnerability in LinkedIn or Microsoft 365; rather, it abuses the inherent trust in these platforms and the human element of security. All versions of LinkedIn and Microsoft 365 are affected, as the attack is platform-agnostic and relies on user interaction rather than a technical flaw.

Indicators of compromise (IOCs) associated with this campaign include the domains payrails-canaccord[.]icu, boardproposalmeet[.]com, sqexclusiveboarddirect[.]icu, login.kggpho[.]icu, and URLs hosted on firebasestorage.googleapis[.]com. Organizations are strongly advised to block these domains at the network perimeter and endpoint security solutions, monitor for suspicious LinkedIn direct messages referencing "Common Wealth" or AMCO, and educate executives about the specific lures and tactics employed in this campaign.

Additional mitigation strategies include reviewing authentication logs for unusual Microsoft login attempts, particularly those following LinkedIn interactions, enabling session cookie protection, and monitoring for indicators of AITM phishing. Security awareness training should emphasize the risks associated with unsolicited board invitations and the importance of verifying the legitimacy of such offers through independent channels.

The rapid evolution of phishing tactics, particularly the shift to non-email delivery vectors and the adoption of AITM techniques, underscores the need for a multi-layered defense strategy. Technical controls must be complemented by ongoing user education and threat intelligence sharing to effectively counter these advanced threats.

References

BleepingComputer: LinkedIn phishing targets finance execs with fake board invites (October 30, 2025)

Push Security: LinkedIn Board Invite Phishing (October 30, 2025)

Reddit: Finance Executives Targeted in LinkedIn Phishing Attack (October 2025)

LinkedIn: Financial Services Evolution X's Post (October 2025)

Rescana is here for you

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you stay ahead of emerging threats. We are committed to supporting your security team with the latest insights and best practices in the ever-evolving threat landscape.

If you have any questions or require further assistance, we are happy to help at ops@rescana.com.