Phishing Attacks Exploiting Business Communication Channels and Executive Impersonation
Cybercriminals are increasingly leveraging trusted business communication channels, such as company email accounts and professional networking platforms, to conduct sophisticated phishing attacks. By compromising legitimate email accounts, attackers can bypass authentication mechanisms like DMARC and remove typical signs of phishing, making it difficult for both security systems and individuals to detect malicious messages. These tactics often involve impersonation of trusted contacts or brands, exploiting pre-existing relationships or establishing new ones to socially engineer targets into divulging sensitive information.
A recent campaign specifically targeted finance executives on LinkedIn with direct messages impersonating invitations to join an executive board for a fictitious investment fund. The phishing messages included malicious links that redirected victims through a series of sites, ultimately leading to a fake "LinkedIn Cloud Share" portal designed to steal Microsoft credentials. Attackers used domains such as payrails-canaccord[.]icu and boardproposalmeet[.]com and hosted their final phishing pages on Firebase, further increasing the credibility of the attack. These incidents highlight the evolving sophistication of phishing campaigns and the need for heightened vigilance among organizations and their executives.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
LinkedIn phishing campaign targets finance executives with fake board invites
A phishing campaign began targeting finance executives via LinkedIn direct messages, using fake invitations to join the executive board of the Common Wealth investment fund. Victims were routed through a fake LinkedIn Cloud Share portal, a Cloudflare Turnstile CAPTCHA, and a fraudulent Microsoft login page designed to steal credentials and session cookies.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New LinkedIn phishing campaign targets finance executives
scworld.com
Open sourceWhen a “Contact Us” Form Becomes “Contact a Cybercriminal”
blog.knowbe4.com
Open sourceLinkedIn phishing targets finance execs with fake board invites
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of **phishing activity** is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own `lnkd.in` shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., `very1929412.netlify[.]app`) leading to additional domains (e.g., `very128918[.]site`) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments. Separately, RavenMail reported a large-scale email phishing campaign impacting **3,000+ organizations** (notably manufacturing) that abused **Google infrastructure** to bypass defenses: messages were sent via legitimate Google services, passed **SPF/DKIM/DMARC**, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed **BEC** volume rising **15% in 2025** based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “**contact details swapping**,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
Mar 21, 2026
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
Mar 21, 2026
Phishing Campaigns Exploiting Email Trust Mechanisms for Credential Theft
Attackers have launched multiple sophisticated phishing campaigns targeting business users by exploiting trusted email mechanisms and brand impersonation. One campaign abused the legitimate `@facebookmail.com` domain and Meta Business Suite’s invitation feature to send convincing phishing emails to Facebook Business users, primarily targeting companies in sectors like automotive, education, real estate, hospitality, and finance. These emails, which appeared authentic due to their origin from Meta’s infrastructure, redirected victims to credential harvesting sites, with some organizations receiving thousands of such messages. The attackers created fake business pages and mimicked official branding to increase the likelihood of success, as confirmed by security researchers who reproduced the attack method. Other campaigns have leveraged HTML attachments and spoofed internal notifications to bypass traditional email security. In Central and Eastern Europe, phishing emails with malicious HTML attachments embedded JavaScript to steal credentials, impersonating brands like Adobe and Microsoft and transmitting stolen data to attacker-controlled Telegram bots. Another campaign disguised phishing emails as spam filter alerts from within the victim’s own organization, using obfuscated code and personalized fake login screens to harvest credentials via websockets. These evolving tactics highlight the increasing sophistication of phishing operations and the need for organizations to monitor for unusual connections, inspect email content, and educate users about the risks of unsolicited attachments and internal-looking notifications.
Mar 21, 2026