TL;DR: 34% of phishing attacks intercepted last month came through non-email channels such as social media, instant messaging, search ads, and in-app messages, according to Push Security, while a LinkedIn campaign used redirects, bot checks, and page obfuscation to steal Microsoft sessions. The pattern shows why email-first controls no longer define the full identity attack surface.
NHIMG editorial — based on content published by Push Security: LinkedIn phishing attack breakdown and detection evasion techniques
By the numbers:
- 34% of the phishing attacks intercepted by Push last month came through non-email channels like social media, IM platforms, malicious search engine ads, and in-app communications.
Questions worth separating out
Q: How should security teams handle phishing that arrives outside email?
A: Security teams should extend detection, browser protection, and user reporting beyond email into social media, messaging apps, and search-driven delivery.
Q: Why do LinkedIn phishing attacks bypass traditional controls so often?
A: They bypass traditional controls because many anti-phishing stacks are built around inbox inspection, URL reputation, and mail gateway workflows.
Q: What signals indicate a phishing page is designed to evade analysis?
A: Signals include long redirect chains, trusted-host relays, human verification gates such as CAPTCHA or Turnstile, and page elements that change at runtime.
Practitioner guidance
- Expand phishing controls beyond email Instrument LinkedIn, messaging apps, search-ad click paths, and in-app message flows with the same scrutiny traditionally reserved for inboxes.
- Test redirect chains end to end Review how your tooling handles multi-hop redirects through trusted services such as Google Search and Firebase hosting.
- Challenge human-gated phishing pages Validate detections against pages that use CAPTCHA, Turnstile, and runtime obfuscation so your scanners are tested the way attackers operate.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Detection timeline screenshots showing each redirect hop, bot gate, and final credential capture stage
- Examples of the exact phishing page obfuscation tactics used to defeat static fingerprinting
- Browser-based response workflow details for blocking AiTM phishing and session hijacking in real time
👉 Read Push Security's analysis of LinkedIn phishing and session theft →
LinkedIn phishing via trusted services: are your controls keeping up?
Explore further
Email-centric phishing strategy is now a partial control model, not a complete one. This campaign shows that attackers have learned to start in the places employees already trust, then move the malicious handoff into the browser. Email security still matters, but it no longer defines the boundary of phishing defence. Practitioners should treat non-email delivery as a first-class identity risk, not an edge case.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who owns the response when a corporate session is stolen through a browser-based phish?
A: Identity, SOC, and IAM teams should share accountability because the compromise spans lure delivery, authentication, session handling, and downstream application access. The immediate concern is not just the password but the live session and the SSO-connected services it can reach.
👉 Read our full editorial: LinkedIn phishing bypasses email controls and steals corporate sessions