LinkedIn Phishing Attack Bypassed Email Filters Because it Passed Both SPF and DMARC Auth



LinkedIn Phishing AttackResearchers at Armorblox have observed a phishing campaign impersonating LinkedIn. The emails inform the user that their LinkedIn account has been suspended due to suspicious activity.

“The subject of this email evoked a sense of urgency in the victims, with a subject reading, ‘We noticed some unusual activity,’ the researchers write. “At first glance, the sender looks to be LinkedIn, the global brand used for connecting with colleagues and individuals around the world. However, when looking closer it is clear that the sender name reads Linkedin (an improper spelling of the brand’s name) and the email address is not associated with LinkedIn. Upon further analysis, the Armorblox Threat Research team found the domain name is fleek[.]co, created March 6th of this year––in preparation for attackers to execute targeted email attacks such as this one.”

The phishing emails and the phishing site convincingly spoofed LinkedIn’s branding.

“The email looks like a notification from LinkedIn, notifying the end user about suspicious activity on his or her account,” the researchers write. “The email included a LinkedIn logo at the top and bottom in order to instill trust in the recipient (victim) that the email communication was a legitimate business email notification from LinkedIn - instead of a targeted, socially engineered email attack. The body of the email contains information about a sign in attempt: device used, date and time, and location; notifying the end user that this attempt has resulted in limited account access due to the potential fraudulent activity. The victim is prompted to ‘Secure my account’ to avoid the LinkedIn account from being closed.”

Armorblox notes that the phishing messages were able to bypass email security filters.

“The email attack bypassed native Google email security controls because it passed both SPF and DMARC email authentication checks,” Armorblox says. “Attackers used a valid domain to send this malicious email, with the goal to bypass native email security layers and exfiltrate sensitive user credentials. Even though the sender domain received a reputation score of high risk, email security layers such as Google that rely on email authentication checks for legitimacy would not catch this targeted email attack.”

New-school security awareness training can enable your employees to identify phishing attacks that slip past your technical defenses.

Armorblox has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews