A newly documented phishing campaign is targeting professionals with fake LinkedIn business emails and abusing a trusted service operated by Adobe. This attack, analyzed by cybersecurity researchers, combines social engineering with technical deception to steal credentials from unsuspecting users. The campaign highlights how attackers continuously evolve their tactics to bypass both human vigilance and automated security filters.

The Attack from the Victim’s Perspective

The attack begins with an email that appears to be a routine business inquiry. The sender claims to want to do business with the recipient through LinkedIn and has attached a signed contract for review. The email is short, professional, and includes the sender's name and company – which may exist but the sender is not actually employed there (a common tactic to add legitimacy). The attached file appears to be a PDF but is actually an HTML file disguised using double extensions (e.g., contract.pdf.html).

If the recipient opens the attachment, a browser window displays a familiar-looking LinkedIn login page with their email address already filled in. The design closely mimics the real LinkedIn interface, including the logo, font, and layout. If the user types their password and clicks submit, the credentials are sent to a server controlled by the attackers. The victim is then redirected to the genuine LinkedIn website, so the attack may not be immediately detected.

The Tricks Behind the Attack

The attackers employed several layers of deception to make this attack effective and hard to detect. First, they impersonate a legitimate platform – LinkedIn – which is widely used by professionals for business networking. The lure (a business inquiry) is contextually appropriate, making it less suspicious than generic phishing attempts. Second, they use double extensions to disguise the HTML file as a PDF, exploiting the fact that many users rely on file extensions to judge safety. Third, the HTML file is heavily obfuscated to evade static analysis by email security gateways.

Perhaps the most sophisticated trick is the abuse of Adobe’s infrastructure. Instead of directing the victim directly to their own malicious servers, the attackers route the browser through Adobe Target, a legitimate A/B testing platform hosted at the omtrdc.net domain. This serves two purposes: it makes the network traffic appear to come from a trusted Adobe address, avoiding domain reputation blacklists, and it likely allows the attackers to track which victims click through and submit credentials (using Adobe Target’s built-in analytics).

This technique, known as a trusted redirect or open redirect abuse, capitalizes on the fact that security solutions and users often whitelist major domains like Adobe. By piggybacking on Adobe’s reputation, the attackers increase the chances of the email landing in the inbox rather than the spam folder.

These Attacks Are Built to Scale

Malwarebytes researchers, who first documented the campaign, note that these attacks are cheap to execute and highly scalable. The phishing kit can be reused with minimal modifications, and the abuse of Adobe Target means the attackers can rotate landing pages and tracking parameters without raising red flags. Moreover, the use of pre-filled email addresses personalizes the attack, increasing the likelihood that recipients will trust the login page and enter their password.

While careful users may spot warning signs – such as a mismatch between the sender’s claimed company and their actual email address, or the unusual file extension – a moment of distraction is enough to fall victim. The researchers emphasize that the campaign is likely to continue circulating, especially given the success rate observed so far.

How to Protect Yourself and Your Organization

To defend against these sophisticated phishing attacks, users and organizations should adopt a multi-layered security approach. First, avoid opening unsolicited attachments, even if they appear to come from a known source. Instead, verify the request through a separate communication channel (e.g., call the sender or send a new email to their official address). Second, enable multi-factor authentication (MFA) for all critical accounts, especially LinkedIn and other professional platforms. MFA adds a second layer of security that can block credential theft even if the password is compromised.

Third, make it a habit to access accounts only through official apps, by typing the official website directly into the browser, or via a bookmark you created yourself. Never click links in emails, even if they look legitimate. Fourth, educate employees about the risks of file extensions and the use of trusted redirects by attackers. Regular security awareness training can help users recognize red flags such as pre-filled login forms or unexpected file types.

From an organizational perspective, email security gateways should be configured to inspect attachments for obfuscated HTML and block known malicious domains. IT teams should also monitor network traffic for unusual connections to trusted domains like omtrdc.net that could indicate abuse. Advanced threat protection solutions that use behavioral analysis and machine learning can identify anomalies such as a user being redirected from a reputable service to a credential-harvesting page.

Finally, users should consider using password managers that automatically fill credentials only on legitimate websites. Password managers can detect mismatched domains and refuse to autofill on phishing pages, providing an additional layer of defense.

The campaign demonstrates that phishing attacks continue to evolve, leveraging trusted infrastructure and psychological triggers to bypass traditional defenses. As attackers adopt more sophisticated techniques, users and security professionals must remain vigilant and proactive in protecting sensitive information.

Source: Help Net Security News