LinkedIn Shared Document phishing campaign

Published by Reza Rafati on

LinkedIn users are being targeted by an phishing campaign which tries to lure unaware users with a fake “LinkedIn Shared Document” message.The fake LinkedIn phishing pages state that the user has received a document via LinkedIn. This document can be viewed, but the user first needs to login.

Fake pages have used this Fake LinkedIn Shared Document

LinkedIn Shared Document phishing campaign

I found one of the LinkedIn phishing pages on URLscan and decided to take a deeper dive into it. On the first impression, we can state that the phishing page is very lightweight. It only loads a couple of external sources to build up the actual phishing page which shows the “LinkedIn Shared Document” message.

Just 3 files loaded to show the phishing page (via URLscan report)

Once the button ‘view document here’ is clicked, the victim is navigated to another fake login page. This page tries to obtain the Microsoft Onedrive credentials of the victim.

[Name] has granted you access to secured company files below

Text from the LinkedIn phishing page.
OneDrive credentials are requested

I continued to find similar attacks on URLscan. The attacks used the same campaign but used different landing page locations. The structure and the files loaded remained the same.

Private capital fund (01-08-2022)

The current campaign claims that there is a document named ‘Private Capital Fund’. The fake message continues to state that in order to open the link the victim needs to provide their credentials first.

To open this secure link, we’ll need you to enter the office365 email that this item was shared to.

Text from the LinkedIn / Onedrive phishing page

Filenames used

The campaign itself

There are some items which stand out when looking at this LinkedIn and Onedrive phishing campaign. The cybercriminals behind this attack are doing the following:

  • Changing the path of the phishing page
  • Utilize multiple randomly named domains
  • Start with fake “LinkedIn shared document” message which leads to fake “OneDrive login” form
  • Use a lightweight phishing page
  • Static text is used

Follow this campaign via URLscan

Share this information

Reza Rafati

Founder of Cyberwarzone.com.