Push Security, a company specializing in browser-based detection and response, has uncovered a sophisticated phishing campaign targeting business users through LinkedIn. The campaign leverages a series of legitimate cloud services from Google and Microsoft to bypass traditional security measures and steal user credentials, signaling an evolving threat landscape where attackers move beyond email to social platforms.

“These tactics are becoming increasingly common in the phishing ecosystem and reflect just how well attackers understand how modern defenses operate,” stated Jacques Louw, Chief Product Officer at Push Security. The campaign, which was intercepted by Push’s browser-native security platform, utilized services such as Google Search, Firebase, and Microsoft Dynamics in complex redirect chains before directing victims to a credential-stealing page impersonating Microsoft.

Adam Bateman, CEO of Push Security, highlighted the shift in attacker methodology, noting, “Phishing attacks are no longer confined to the inbox. Attackers are meeting employees everywhere they work and communicate — including apps like LinkedIn — and they’re hiding in plain sight behind trusted domains that traditional defenses are programmed to ignore.”

Push Security’s researchers have observed a notable increase in phishing attempts delivered via LinkedIn direct messages. This trend exploits the platform’s legitimate use for professional networking, placing it outside the typical visibility of enterprise email security tools. This recent discovery marks the second LinkedIn-targeted campaign identified by Push in a short period, indicating that attackers increasingly view the platform as an effective route to reach high-value targets like executives and sales leaders.

Louw further explained the tactical advantage for attackers: “Because LinkedIn sits outside enterprise phishing filters and other traditional cybersecurity solutions, attackers are able to initiate contact, send malicious links, and socially engineer victims with fewer barriers. The result is a blind spot in enterprise visibility and control, leaving employees exposed even on devices managed by corporate IT.”

To evade detection, the attackers employed multi-layered redirect chains involving legitimate cloud services like Google Sites, Google Search, Firebase, and Microsoft Dynamics. By embedding redirects through reputable domains, they significantly reduce the likelihood of their malicious links being flagged or blocked by automated security tools. Furthermore, the campaign utilized Cloudflare Turnstile bot protection to hinder automated analysis of their phishing sites and deployed page obfuscation techniques to defeat detection signatures.

The attack sequence began with a LinkedIn direct message containing a seemingly harmless link. After navigating through a series of redirects via legitimate platforms, victims encountered a Microsoft-branded “view document” page, protected by a Cloudflare Turnstile challenge. Upon completion, the victim was presented with an adversary-in-the-middle (AiTM) phishing page designed to steal the user’s Microsoft session, effectively bypassing multi-factor authentication (MFA) controls.

The increasing prevalence of social media-delivered phishing campaigns signifies a broader shift in attacker strategies. As corporate email defenses improve, adversaries are adapting by targeting less-guarded communication channels and combining them with legitimate cloud services to maximize their reach and minimize detection. Push Security researchers anticipate this trend will continue, with future phishing operations blending across various channels and platforms that operate outside traditional enterprise security visibility.

Push Security detected and blocked this attack in real time by identifying malicious activity directly within the user’s browser session, where the attack unfolds. This approach differs from relying on URL reputation, email scanning, or threat intelligence feeds. Louw emphasized this advantage, stating, “These campaigns show how attackers are bypassing every traditional control point — email gateways, link scanners, domain filters — by abusing the same trusted tools that enterprises rely on. Push protects users in real-time in the browser, no matter how or where malicious content reaches the user.”

Push’s browser-native platform is designed to identify and block a range of browser-based attacks, including AiTM phishing, credential stuffing, session hijacking, and password reuse. Beyond detection, the platform assists organizations in hardening their identity attack surface by identifying security gaps such as unmanaged logins, weak MFA coverage, and risky OAuth integrations. Think of Push as being like EDR, but in the browser. Push Security was founded by former red team members with expertise in offensive security and security operations, and is supported by investors including Decibel, GV (Google Ventures), Redpoint Ventures, Datadog Ventures, and B3 Capital.