Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

LinkedIn phishing via AiTM pages: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: A targeted LinkedIn phishing campaign chained trusted web properties, layered redirects, and CAPTCHA-based evasion to reach an attacker-in-the-middle login page aimed at an executive’s Google Workspace account, according to Push Security. The incident shows how one compromised SSO-linked account can widen blast radius across downstream applications and turn browser-level phishing into an identity governance problem.

NHIMG editorial — based on content published by Push Security: How Push blocked a LinkedIn-delivered AiTM phishing attack targeting an executive

By the numbers:

Questions worth separating out

Q: How should security teams reduce the impact of LinkedIn-delivered phishing attacks?

A: Security teams should treat LinkedIn as part of the identity attack surface, not only as a communications channel.

Q: Why do AiTM phishing attacks create more risk than ordinary credential theft?

A: AiTM phishing can capture the live session as well as the password, which lets attackers bypass some downstream authentication checks.

Q: What do security teams get wrong about phishing detection in modern browser flows?

A: Many teams still expect a malicious URL to be visible early and stable enough for static filtering or sandboxing.

Practitioner guidance

  • Map executive identity blast radius Inventory every downstream application, API, and SSO-linked service reachable from executive accounts, then remove non-essential access paths and stale integrations.
  • Add browser-side phishing interception Use controls that evaluate the live browser session and block attacker-in-the-middle pages before credentials or session tokens are submitted.
  • Hunt for multi-step redirect patterns Search telemetry for short bursts of access across sites.google.com, Microsoft Dynamics domains, and suspicious .sa.com destinations within the same user session.

What's in the full article

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • The exact redirect sequence used to move victims from LinkedIn to Google Sites, then Microsoft Dynamics, and finally the AiTM login page.
  • The browser-detection and block-mode behaviour that stopped the phishing flow in real time.
  • The indicator patterns the vendor recommends for hunting executive-level users across the campaign.
  • The timeline visibility used to reconstruct the attack chain and support incident response.

👉 Read Push Security's analysis of the LinkedIn AiTM phishing campaign →

LinkedIn phishing via AiTM pages: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Browser-delivered phishing is now an identity governance problem, not just a mail-security problem. When attackers move through LinkedIn and other collaboration channels, they evade email-centric controls and force IAM teams to think about identity attack surface across every user touchpoint. The control boundary has shifted from message filtering to session protection and downstream access visibility. Practitioners should treat external social channels as part of the identity perimeter.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • The same research found that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, with inadequate monitoring and logging and over-privileged accounts each cited by 37%.

A question worth separating out:

Q: Who is accountable when a compromised executive account reaches downstream SSO applications?

A: Accountability sits with the identity and access programme, because the compromise exposes gaps in session control, application trust, and offboarding of latent access paths. Incident response must include app owners, IAM teams, and security operations so that resets are paired with review of connected integrations and token-based persistence.

👉 Read our full editorial: LinkedIn AiTM phishing exposes executive Google Workspace blast radius



   
ReplyQuote
Share: