LinkedIn phishing via trusted services: are your controls keeping up?

TL;DR: 34% of phishing attacks intercepted last month came through non-email channels such as social media, instant messaging, search ads, and in-app messages, according to Push Security, while a LinkedIn campaign used redirects, bot checks, and page obfuscation to steal Microsoft sessions. The pattern shows why email-first controls no longer define the full identity attack surface.

NHIMG editorial — based on content published by Push Security: LinkedIn phishing attack breakdown and detection evasion techniques

By the numbers:

• 34% of the phishing attacks intercepted by Push last month came through non-email channels like social media, IM platforms, malicious search engine ads, and in-app communications.

Questions worth separating out

Q: How should security teams handle phishing that arrives outside email?

A: Security teams should extend detection, browser protection, and user reporting beyond email into social media, messaging apps, and search-driven delivery.

Q: Why do LinkedIn phishing attacks bypass traditional controls so often?

A: They bypass traditional controls because many anti-phishing stacks are built around inbox inspection, URL reputation, and mail gateway workflows.

Q: What signals indicate a phishing page is designed to evade analysis?

A: Signals include long redirect chains, trusted-host relays, human verification gates such as CAPTCHA or Turnstile, and page elements that change at runtime.

Practitioner guidance

• Expand phishing controls beyond email Instrument LinkedIn, messaging apps, search-ad click paths, and in-app message flows with the same scrutiny traditionally reserved for inboxes.
• Test redirect chains end to end Review how your tooling handles multi-hop redirects through trusted services such as Google Search and Firebase hosting.
• Challenge human-gated phishing pages Validate detections against pages that use CAPTCHA, Turnstile, and runtime obfuscation so your scanners are tested the way attackers operate.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Detection timeline screenshots showing each redirect hop, bot gate, and final credential capture stage
• Examples of the exact phishing page obfuscation tactics used to defeat static fingerprinting
• Browser-based response workflow details for blocking AiTM phishing and session hijacking in real time

👉 Read Push Security's analysis of LinkedIn phishing and session theft →

LinkedIn phishing via trusted services: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →