
A newly documented phishing campaign is targeting professionals with fake LinkedIn business emails and abusing a trusted service operated by Adobe. The attack leverages the legitimacy of Adobe's infrastructure to bypass email security filters and trick even cautious users.
The attack from the victim’s perspective
The attack begins with an email that appears to be a routine business inquiry. The subject line indicates that someone wants to do business with the recipient through LinkedIn and has attached a signed contract for review. The email is short, professional, and includes the sender's name and a company name. However, if the victim checks, they will discover that the sender does not actually work at that company.
Opening the attachment reveals a familiar-looking LinkedIn login page, with the victim's email address already filled in. This pre-filled email field makes the page feel personalized and trustworthy. If the victim types their password and hits submit, the credentials are sent to an attacker-controlled server. The victim is then redirected to the real LinkedIn, so they may not immediately realize anything is wrong.
The double extension trick
One key deception is the use of double extensions. The attached file appears to be a PDF (e.g., “contract.pdf.html”), but it is actually an HTML file. When opened, the operating system treats it as a web page, loading the phishing form. Many users do not see the full file extension if their system is configured to hide known extensions, making the file appear to be a harmless PDF.
The tricks behind the attack
The attackers employed several layers of deception to make their campaign effective and hard to detect. By impersonating a legitimate platform and using a lure that is common in professional communications, they lower the victim’s guard. Many professionals routinely receive business inquiries through LinkedIn, so an email about a signed contract does not stand out as suspicious.
Abusing Adobe’s infrastructure
Rather than directing the victim’s browser directly to their own malicious servers, the attackers route the traffic through Adobe Target, a legitimate A/B testing platform hosted at the omtrdc.net domain. This accomplishes two things. First, network traffic appears to be going to a trusted Adobe address, which helps evade security solutions that inspect URLs and domains. Second, it allows the attackers to track which victims actually click through and submit their credentials, using Adobe’s analytics capabilities.
Adobe Target is widely used by marketers to test website variations. Because it is a legitimate service hosted on Adobe’s infrastructure, security tools may be less likely to flag requests to omtrdc.net as malicious. Attackers exploiting trusted services in this way is an increasingly common technique known as “living off the land” or abusing legitimate services to host or relay malicious content.
Heavily obfuscated HTML code
The HTML file containing the phishing form is heavily obfuscated, making it difficult for automated scanners to detect its malicious nature. Obfuscation techniques include encoding JavaScript, hiding strings, and using complex nested functions. This further helps the email evade detection by email security gateways that rely on signature-based or heuristic analysis.
These attacks are built to scale
Phishing campaigns that abuse legitimate services are cheap and easy to scale. The attackers can quickly generate personalized emails for thousands of targets, using publicly available or scraped information. The pre-filled email field, for instance, requires only that the attacker knows the target’s email address—something that is often easy to find via LinkedIn or corporate websites.
Moreover, the use of Adobe’s infrastructure means the attackers can reuse the same phishing kit across multiple campaigns without worrying about their own hosting being taken down. If Adobe’s platform is used for legitimate purposes, the malicious redirect can persist for a long time before being discovered and removed.
Security researchers have noted that this type of attack is likely to keep circulating because it works. Even if a small percentage of recipients fall for the trick, the attackers can quickly harvest credentials that may be used for account takeover, further phishing, or data theft.
How to spot and avoid these attacks
Careful users can spot several warning signs. The email attachment may appear to be a PDF but ends with .html. Hovering over the link in the email or inspecting the attachment before opening can reveal the true nature. The fake login page may also have subtle differences: the URL in the address bar may not be linkedin.com but a variation that includes the word “linkedin” or uses a subdomain of a malicious site. However, because the traffic is routed through Adobe’s domain, the initial URL may show something.omtrdc.net, which looks legitimate at a glance.
To protect themselves, users should avoid opening unsolicited attachments, especially those that claim to be contracts or invoices. Instead, they can verify with the supposed sender through a separate communication channel. Enabling multi-factor authentication (MFA) on critical accounts adds a crucial layer of protection. Even if an attacker obtains a password, they cannot log in without the second factor.
Another best practice is to only access accounts through official apps, typing the official website directly into the browser, or using a bookmark created by the user themselves. Never click on links in emails that claim to be from LinkedIn or other platforms—always navigate manually.
Security teams should train employees to recognize phishing attempts that abuse trusted services. Organizations can also implement email security solutions that inspect attachments in a sandbox, detect obfuscated HTML, and block traffic to known malicious domains even if they are hosted on reputable infrastructure.
This campaign underscores a broader trend: attackers are constantly finding new ways to abuse legitimate services to lower defenses. As Adobe and other providers work to detect and block such abuse, users and security professionals must remain vigilant. The key is to verify before trusting, and to never let a sense of urgency override caution.
Source:Help Net Security News
