Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

LinkedIn phishing chains and session theft: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9223
Topic starter  

TL;DR: Attackers are using LinkedIn messages, Google and Microsoft redirect chains, and AiTM phishing pages to steal Microsoft sessions while bypassing MFA and traditional email controls, according to Push Security. The pattern shows that browser-visible identity attacks now outrun inbox-centric defenses and demand stronger session-level governance.

NHIMG editorial — based on content published by Push Security: Push Security identifies surge in sophisticated LinkedIn-based phishing campaigns

By the numbers:

Questions worth separating out

Q: How should security teams respond to LinkedIn-based phishing that uses trusted redirects?

A: Security teams should monitor social platforms, browser sessions, and redirect behaviour together, because the attack chain begins outside email and often ends after the user has authenticated.

Q: Why do legitimate Google and Microsoft redirects make phishing harder to stop?

A: Trusted redirects make phishing harder to stop because each intermediary can look legitimate to reputation-based filters, allowing the final credential page to arrive with inherited trust.

Q: What do security teams get wrong about MFA in AiTM phishing attacks?

A: Teams often assume MFA ends the threat once the login challenge succeeds, but AiTM attacks can capture the resulting session instead.

Practitioner guidance

  • Instrument browser-session telemetry Collect and review browser-level signals for redirect chains, credential entry points, and unusual post-authentication behaviour so identity attacks can be detected where they execute.
  • Treat social platforms as phishing ingress paths Add LinkedIn and other collaboration channels to phishing monitoring, awareness, and response playbooks instead of relying only on email gateway coverage.
  • Harden against AiTM session theft Prioritise phishing-resistant authentication where possible, then pair it with session binding, token protection, and controls that reduce reuse of captured sessions.

What's in the full analysis

Push Security’s full post covers the operational detail this post intentionally leaves for the source:

  • The exact redirect sequence across Google Search, Firebase, Google Sites, and Microsoft Dynamics.
  • The browser-native detection logic used to spot the campaign in real time.
  • The examples of page obfuscation and bot protection that helped the attackers evade analysis.
  • The additional identity attack surface findings around unmanaged logins, weak MFA coverage, and risky OAuth integrations.

👉 Read Push Security’s analysis of LinkedIn phishing and session theft →

LinkedIn phishing chains and session theft: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8662
 

Browser session trust is now part of identity governance, not just endpoint hygiene. This campaign shows that the security boundary has moved into the browser, where users authenticate, click, and complete session hand-offs. Traditional IAM programmes that stop at login success are missing the point. The practical conclusion is that identity governance must include how sessions are created, intercepted, and reused in real time.

A few things that frame the scale:

A question worth separating out:

Q: Which controls matter most when phishing moves beyond email into the browser?

A: The controls that matter most are browser telemetry, session protection, suspicious redirect inspection, and user access monitoring across social and collaboration channels. If the enterprise only watches the inbox, it will miss the actual place where the compromise unfolds.

👉 Read our full editorial: LinkedIn phishing now chains trusted cloud services to steal sessions



   
ReplyQuote
Share: