LinkedIn AiTM phishing exposes executive Google Workspace blast radius

At a glance

What this is: This is a targeted phishing analysis showing how LinkedIn lures, redirect chains, and AiTM pages can bypass conventional controls and threaten executive Google Workspace access.

Why it matters: It matters because one compromised primary identity can expose SSO-linked downstream apps, making browser visibility, session protection, and executive-risk governance essential across human IAM and NHI-adjacent access paths.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

👉 Read Push Security's analysis of the LinkedIn AiTM phishing campaign

Context

LinkedIn-delivered phishing is a governance problem as much as a user-awareness problem. When attackers move outside email and use trusted collaboration channels, they bypass many of the controls security teams rely on for filtering, sandboxing, and domain reputation checks.

The real exposure begins when a primary identity is tied to SSO and downstream applications. In that model, compromise is no longer limited to a mailbox or one browser session. It can become a broader identity event that touches access paths, app trust, and persistence settings.

This kind of attack is not unusual. It reflects a mature social-engineering pattern that now combines trusted delivery, infrastructure camouflage, and browser-session theft to make traditional perimeter-style detection too late in the chain.

Key questions

Q: How should security teams reduce the impact of LinkedIn-delivered phishing attacks?

A: Security teams should treat LinkedIn as part of the identity attack surface, not only as a communications channel. That means monitoring executive contact patterns, adding browser-based blocking for suspicious login flows, and reviewing whether compromised accounts can reach high-value downstream apps through SSO. Containment depends on reducing the blast radius before credentials are harvested.

Q: Why do AiTM phishing attacks create more risk than ordinary credential theft?

A: AiTM phishing can capture the live session as well as the password, which lets attackers bypass some downstream authentication checks. That matters because a stolen session may expose email, chat, and federated apps linked through SSO. The risk is persistence and reach, not just immediate login failure.

Q: What do security teams get wrong about phishing detection in modern browser flows?

A: Many teams still expect a malicious URL to be visible early and stable enough for static filtering or sandboxing. This attack pattern shows that legitimate hosting, redirect chains, and CAPTCHA gates can hide the real destination until the user is deep in the flow. Detection has to move closer to the browser.

Q: Who is accountable when a compromised executive account reaches downstream SSO applications?

A: Accountability sits with the identity and access programme, because the compromise exposes gaps in session control, application trust, and offboarding of latent access paths. Incident response must include app owners, IAM teams, and security operations so that resets are paired with review of connected integrations and token-based persistence.

Technical breakdown

LinkedIn as the initial access channel

Attackers increasingly use direct messages on professional networks because they bypass email security stacks and exploit users' trust in familiar business contexts. A compromised sender account makes the lure look routine, while the platform itself becomes the delivery mechanism. This is not just phishing by another name. It is identity abuse upstream of the login page, where the attacker borrows social credibility to drive the victim into a controlled flow. In practice, the first control gap is not the login form but the lack of monitoring for risky external contact patterns and account compromise on collaboration platforms.

Practical implication: monitor executive social channels as part of identity attack surface management, not as a separate communications problem.

Redirect chains, CAPTCHAs, and sandbox evasion

This attack used legitimate services, layered redirects, and custom CAPTCHA challenges to frustrate automated inspection. Security tools that depend on static URL analysis or sandbox replay often lose visibility when the page behavior changes after user interaction. The purpose of these steps is to delay or defeat classification until the victim reaches the attacker-in-the-middle page. Once the browser is inside the flow, the attacker can harvest credentials and session artefacts with much higher confidence. The technical lesson is that delivery-time controls alone are fragile when the content path is intentionally disposable and user-triggered.

Practical implication: add browser-side detection and response that evaluates what the user actually sees, not only what scanners fetch.

Why AiTM makes SSO compromise high impact

Attacker-in-the-middle phishing is dangerous because it can capture not only credentials but also the authenticated session context that follows. For a Google Workspace user, that can expose mail, chat, and any downstream applications linked through SSO. The identity problem then shifts from password theft to session and token abuse, including the possibility of stealthy persistence in connected apps. In practical terms, the attacker wants durable access, not just one successful sign-in. The blast radius grows when the organisation has weak visibility into what an executive account can reach after initial authentication.

Practical implication: review downstream SSO dependencies and session persistence paths for executive accounts before an incident forces the issue.

Threat narrative

Attacker objective: The attacker wanted durable access to a high-value executive identity and the downstream applications reachable through that account.

1. Entry occurred through a LinkedIn direct message sent from a compromised executive account and framed as an investment opportunity.
2. Escalation happened as the victim was pushed through legitimate-looking sites, CAPTCHA gating, and an attacker-in-the-middle login page designed to capture credentials and session context.
3. Impact would have included takeover of the executive's Google Workspace account and access to SSO-linked downstream applications, creating a wide blast radius.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-delivered phishing is now an identity governance problem, not just a mail-security problem. When attackers move through LinkedIn and other collaboration channels, they evade email-centric controls and force IAM teams to think about identity attack surface across every user touchpoint. The control boundary has shifted from message filtering to session protection and downstream access visibility. Practitioners should treat external social channels as part of the identity perimeter.

Executive accounts need blast-radius governance, not just stronger authentication. The issue is not whether a company can block one login page. It is whether a compromised executive identity can be contained before it reaches mail, chat, and SSO-connected applications. The broader the downstream access graph, the more expensive late detection becomes. Practitioners should map executive account reach and remove unnecessary downstream privilege.

Disposable phishing infrastructure has created a redirect-chain visibility gap that many controls still miss. This attack depended on legitimate hosting, multiple redirects, and user-triggered content to outrun static inspection. That breaks assumptions built into tools that expect a stable malicious URL or a single inspection point. The implication is that identity and browser telemetry must be reviewed together, because the attack path is no longer visible from the first link alone.

Compromise persistence now extends beyond the mailbox into the identity fabric. The article's own warning about ghost logins, evil twin integrations, and API keys is the right one for IAM teams: once an executive session is stolen, the attacker may seed multiple footholds that outlive the initial reset. That means incident response has to account for connected app trust, not just password changes. Practitioners should scope recovery around the full authenticated ecosystem.

Attackers are optimising for trusted user context, which makes human identity controls and NHI-style persistence risks converge. The same governance discipline used for machine identity hygiene now matters when human sessions can be turned into durable access paths through API keys, OAuth grants, or ghost logins. That convergence is where identity programmes either see the full blast radius or miss it. Practitioners should align human IAM response with downstream token and integration review.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• The same research found that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, with inadequate monitoring and logging and over-privileged accounts each cited by 37%.
• For the broader governance frame, see 52 NHI Breaches Analysis for patterns of credential exposure, persistence, and downstream access abuse.

What this signals

Redirect-chain visibility gap: organisations need to assume that malicious delivery will increasingly occur through legitimate services and user-triggered navigation, not just suspicious domains. That pushes detection closer to the browser and the identity session, where the attack can still be interrupted before downstream access is inherited.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the same blind spot that affects non-human access also weakens recovery after executive phishing. If you cannot see the connected surface, you cannot confidently scope persistence after a compromise.

This is where browser telemetry, SSO graphs, and token review should converge. The organisations that can correlate the live session with the downstream trust graph will recover faster and reduce the number of hidden footholds left behind after a reset.

For practitioners

• Map executive identity blast radius Inventory every downstream application, API, and SSO-linked service reachable from executive accounts, then remove non-essential access paths and stale integrations.
• Add browser-side phishing interception Use controls that evaluate the live browser session and block attacker-in-the-middle pages before credentials or session tokens are submitted.
• Hunt for multi-step redirect patterns Search telemetry for short bursts of access across sites.google.com, Microsoft Dynamics domains, and suspicious .sa.com destinations within the same user session.
• Review persistence mechanisms after any credential reset Check for ghost logins, evil twin integrations, OAuth grants, and exposed API keys in every account that may have been touched by the compromise.

Key takeaways

• LinkedIn-delivered AiTM phishing bypasses many traditional controls because the attack moves through trusted user channels and browser interaction rather than email alone.
• Executive account compromise is high impact because one stolen session can reach mail, chat, and SSO-connected applications across the identity fabric.
• The limiting control is not only stronger authentication but earlier browser-side detection, downstream access review, and persistence hunting after any suspected session theft.

Key terms

• Attacker-in-the-middle phishing: A phishing technique where the attacker relays the victim's login flow through an intermediate page to capture credentials, cookies, or session tokens. It is more dangerous than simple credential harvesting because the attacker can inherit an active authenticated session and sometimes bypass later controls.
• Blast radius: The amount of systems, data, and applications that become reachable after one identity is compromised. In identity programmes, blast radius is determined by session scope, downstream application trust, and persistence mechanisms, not only by the strength of the initial authentication step.
• Redirect chain: A sequence of web redirects used to move a user from the initial lure to the final malicious destination. Security teams care about redirect chains because they can hide the true endpoint from static inspection, confuse reputation-based controls, and delay detection until the user has already engaged.
• Ghost login: A persistence method where an attacker retains access through a hidden or lightly monitored authenticated path after the primary credentials have been reset. It often involves linked integrations, tokens, or stale trust relationships that survive the original compromise response.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: How Push blocked a LinkedIn-delivered AiTM phishing attack targeting an executive. Read the original.