Cybercriminals are spoofing LinkedIn email notifications with fake invitations, bypassing existing security measures. If users choose to reply to convincing opportunities, they’ll be served a ConnectWise remote access trojan (RAT) installer.
The LinkedIn spoofing campaign has been running since at least May 2024. However, security researchers at Cofense, an email security company, warn that malicious emails can still slip through Microsoft Defender ATP (Advanced Threat Protection).
Cybercriminals didn’t even care to update the spoofed notifications with the current template of legitimate LinkedIn email notifications, which was used after the rebranding. An old template from 2020 still looks convincing enough.
“The email purports to be a notification for a LinkedIn InMail message, a feature for messaging LinkedIn members who are not connected to the sender,” the researchers explain.
The current campaign’s lure is a “sales director” asking for a quote on a product or service. Hackers stole a photo of a real person, stitched the names of two legitimate corporations into a purported company, “DONGJIN Weidmüller Korea Ind.,” and listed an address pointing to a real office building.
By asking for a sales quote, cybercriminals attempt to create a sense of urgency. However, the “Read More” or “Reply To” buttons in the spoofed email will download a ConnectWise RAT installer.
“The threat actors do not prompt the user to run a program in the email, and well-trained users should be suspicious of running a downloaded file when they would normally expect to be directed to a LinkedIn webpage,” the researchers said.
But how do malicious emails slip through the email security systems? The researchers noted that they actually fail basic verification checks.
The sender’s IP address wasn’t authorized to send emails on behalf of LinkedIn.com – the Sender Policy Framework (SPF) was marked as a “softfail.” The emails lacked a digital signature of legitimate LinkedIn messages – they weren't signed with DKIM (DomainKeys Identified Mail).
These red flags should have alerted security tools to block the messages outright, yet, the misconfigurations in the spam filter settings allowed the emails to slip through to Outlook inboxes albeit with spam warnings.
“The email was able to bypass existing security measures and the Microsoft ATP secure email gateway (SEG) likely because the configured DMARC action was set to “oreject” which will mark the email as spam and let it reach the recipient’s mailbox,” the explanation reads.
Cybercriminals might also attempt to deliver other malicious payloads this way, such as infostealers, links to malicious websites designed to steal credentials, or tools enabling business email compromise (BEC) attacks.
Your email address will not be published. Required fields are markedmarked