
A newly documented phishing campaign is targeting professionals worldwide with fake LinkedIn business emails that cleverly abuse Adobe’s legitimate A/B testing infrastructure. The attack, first analyzed by security researchers, demonstrates a growing trend among cybercriminals to leverage trusted third-party services to bypass email security controls and evade user suspicion.
How the Attack Works
The attack begins with an email that appears to be a routine business inquiry. The sender claims to represent a real company and includes a signed contract attached as an HTML file with a double extension (e.g., contract.pdf.html). The email is short, professional, and tailored to the recipient, mentioning a specific business opportunity through LinkedIn.
If the victim opens the attachment, they are presented with a convincing replica of the LinkedIn login page. Their email address is already pre-filled, making the page feel personalized and trustworthy. Entering a password and clicking submit sends the credentials to an attacker-controlled server, after which the victim is silently redirected to the real LinkedIn website. The attack works seamlessly, and the victim may never realize their credentials were stolen.
Abusing Adobe’s Infrastructure
A key innovation in this campaign is the use of Adobe Target, a legitimate A/B testing and personalization platform hosted at the subdomain omtrdc.net. Instead of directing the victim’s browser directly to a malicious server, the attackers route traffic through Adobe’s infrastructure. This accomplishes two goals: first, network-level security tools see traffic going to a trusted Adobe domain, which rarely raises alarms. Second, the attackers can use Adobe Target’s analytics to track which victims clicked through and submitted their credentials, allowing them to prioritize stolen credentials that are more likely to be active.
According to security researchers, the abuse of Adobe Target is a sophisticated tactic that makes the phishing campaign particularly hard to detect. Many organizations whitelist Adobe domains for legitimate business purposes, and the encrypted communication with Adobe servers further obscures the malicious intent. Email security gateways and web filters that rely on domain reputation alone are ineffective against this technique.
Obfuscation and Social Engineering Layers
The attackers employed multiple layers of deception beyond the Adobe abuse. The HTML attachment is heavily obfuscated to evade signature-based detection and sandbox analysis. The obfuscation involves nested JavaScript, encoded strings, and dynamic content loading that only renders the fake login page when the file is opened in a browser.
The social engineering lever is also carefully crafted. LinkedIn is one of the most trusted platforms for professional communication, and receiving a business inquiry with a signed contract feels normal. The pre-filled email address on the fake login page adds a layer of personalization that increases the likelihood of users entering their passwords without hesitation. Even careful employees who check the sender’s name and company may not detect the fraud because the attackers use real company names and often create email addresses that closely resemble legitimate ones.
Scale and Cost Efficiency
Phishing campaigns of this type are inexpensive to launch and easy to scale. The attackers can purchase domain names and hosting for minimal cost, and the use of Adobe’s free or low-tier infrastructure reduces their overhead. The HTML phishing kit can be reused with slight modifications – changing the target brand, updating the domain, or altering the lure message – allowing the attackers to run multiple campaigns simultaneously against different professional verticals.
Security researchers warn that this kind of attack is likely to persist and evolve. As organizations improve their detection of direct malicious URLs, attackers will continue to find ways to piggyback on trusted services. Adobe is just one example; similar phishing campaigns have abused Google Cloud, Amazon Web Services, and Microsoft Azure in the past.
Historical Context and Trends
Phishing attacks that abuse legitimate cloud services have been rising steadily over the past five years. In 2023, a major campaign used Microsoft SharePoint to host fake login pages that mimicked Office 365. In 2024, attackers leveraged AWS Lambda functions to dynamically generate phishing pages that evaded static analysis. The current LinkedIn campaign represents a continuation of that trend, with Adobe Target being the chosen vector.
Professionals are prime targets because they control access to sensitive corporate data and financial systems. Stolen LinkedIn credentials can be used to impersonate executives, launch spear-phishing attacks against colleagues, or gather intelligence on corporate relationships. The attackers may also sell the credentials on the dark web or use them to compromise the victim’s other accounts that share the same password.
Impact on Organizations
For businesses, a single compromised LinkedIn account can lead to costly data breaches, reputational damage, and regulatory fines. The attack is particularly dangerous for sales, HR, and executive roles, where receiving unsolicited business inquiries is part of daily work. If an executive’s account is taken over, the attacker can send fraudulent invoices, request urgent wire transfers, or manipulate internal communications.
Moreover, the use of Adobe’s platform means that traditional security controls – like blocking suspicious file types or restricting outbound connections to unknown IPs – may not be sufficient. Security teams need to implement behavior-based detection, inspect SSL/TLS traffic for signs of credential harvesting, and train employees to recognize subtle anomalies.
Detection and Prevention Strategies
Individual users can defend themselves by enabling multi-factor authentication on LinkedIn and other critical accounts. Even if a password is stolen, MFA prevents the attacker from gaining access. Users should also carefully inspect URLs before entering credentials. Legitimate LinkedIn login pages always begin with https://www.linkedin.com; any deviation should be treated as suspicious. Hovering over links before clicking, avoiding opening unsolicited attachments, and accessing LinkedIn only through official apps or bookmarks are additional best practices.
For organizations, a layered defense is essential. Email security solutions should be configured to analyze the content of attachments in sandboxes, identify obfuscated JavaScript, and flag HTML files with double extensions. Web filters should look beyond domain reputation and assess the behavior of web pages, especially those requesting credentials. Security awareness training should include simulated phishing tests that specifically target LinkedIn users and highlight the risks of A/B testing platform abuse.
Additionally, security teams can monitor outbound connections to Adobe Target domains and correlate them with recent email delivery events. Any deviation from normal patterns – such as a user who rarely visits LinkedIn suddenly being redirected through Adobe – could indicate a compromise. Anomaly detection and user behavior analytics can surface these incidents before credentials are used maliciously.
Finally, security researchers recommend that organizations implement a strict policy of never entering LinkedIn credentials on any page that wasn’t visited by typing the URL directly into the browser. Bookmarking the official LinkedIn login page and using it as the sole entry point eliminates the risk of falling for a lookalike page.
The attackers behind this campaign have demonstrated that even trusted services can be weaponized. By staying informed and adopting a proactive security posture, businesses and individuals can reduce the likelihood of becoming victims. The threat landscape will continue to evolve, but vigilance remains the most effective defense.
Source:Help Net Security News
