TL;DR: Attackers are using LinkedIn messages, Google and Microsoft redirect chains, and AiTM phishing pages to steal Microsoft sessions while bypassing MFA and traditional email controls, according to Push Security. The pattern shows that browser-visible identity attacks now outrun inbox-centric defenses and demand stronger session-level governance.
NHIMG editorial — based on content published by Push Security: Push Security identifies surge in sophisticated LinkedIn-based phishing campaigns
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams respond to LinkedIn-based phishing that uses trusted redirects?
A: Security teams should monitor social platforms, browser sessions, and redirect behaviour together, because the attack chain begins outside email and often ends after the user has authenticated.
Q: Why do legitimate Google and Microsoft redirects make phishing harder to stop?
A: Trusted redirects make phishing harder to stop because each intermediary can look legitimate to reputation-based filters, allowing the final credential page to arrive with inherited trust.
Q: What do security teams get wrong about MFA in AiTM phishing attacks?
A: Teams often assume MFA ends the threat once the login challenge succeeds, but AiTM attacks can capture the resulting session instead.
Practitioner guidance
- Instrument browser-session telemetry Collect and review browser-level signals for redirect chains, credential entry points, and unusual post-authentication behaviour so identity attacks can be detected where they execute.
- Treat social platforms as phishing ingress paths Add LinkedIn and other collaboration channels to phishing monitoring, awareness, and response playbooks instead of relying only on email gateway coverage.
- Harden against AiTM session theft Prioritise phishing-resistant authentication where possible, then pair it with session binding, token protection, and controls that reduce reuse of captured sessions.
What's in the full analysis
Push Security’s full post covers the operational detail this post intentionally leaves for the source:
- The exact redirect sequence across Google Search, Firebase, Google Sites, and Microsoft Dynamics.
- The browser-native detection logic used to spot the campaign in real time.
- The examples of page obfuscation and bot protection that helped the attackers evade analysis.
- The additional identity attack surface findings around unmanaged logins, weak MFA coverage, and risky OAuth integrations.
👉 Read Push Security’s analysis of LinkedIn phishing and session theft →
LinkedIn phishing chains and session theft: are your controls keeping up?
Explore further
Browser session trust is now part of identity governance, not just endpoint hygiene. This campaign shows that the security boundary has moved into the browser, where users authenticate, click, and complete session hand-offs. Traditional IAM programmes that stop at login success are missing the point. The practical conclusion is that identity governance must include how sessions are created, intercepted, and reused in real time.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Which controls matter most when phishing moves beyond email into the browser?
A: The controls that matter most are browser telemetry, session protection, suspicious redirect inspection, and user access monitoring across social and collaboration channels. If the enterprise only watches the inbox, it will miss the actual place where the compromise unfolds.
👉 Read our full editorial: LinkedIn phishing now chains trusted cloud services to steal sessions