Cybersecurity researchers have documented a new phishing campaign that targets professionals by impersonating LinkedIn and exploiting a trusted service operated by Adobe. The attack leverages Adobe's A/B testing platform, Adobe Target, to host malicious redirections and evade traditional security controls. This technique allows attackers to blend their traffic with legitimate Adobe infrastructure, making detection significantly harder for both users and email filtering systems.
How the Attack Unfolds
The campaign begins with an email that appears to be a routine business inquiry. The message claims that a contact wants to do business via LinkedIn and has attached a signed contract for review. The email is concise and professional, and the sender's name and company are real—though a quick background check would reveal that the sender does not actually work at that company.
If the recipient opens the attachment, which is an HTML file disguised as a PDF using double extensions, they are presented with a familiar-looking LinkedIn login page. Crucially, the email field is pre-filled with the victim's actual email address, adding a layer of personalization that increases trust. Once the user enters their password and submits the form, their credentials are sent to an attacker-controlled server. The page then redirects them to the real LinkedIn, making the entire process seem legitimate.
The Role of Adobe Target
The most innovative aspect of this attack is the abuse of Adobe Target, an A/B testing and personalization platform hosted at the omtrdc.net domain. Instead of linking directly to their own malicious servers, the attackers route the victim's browser through Adobe's infrastructure. This serves two purposes: first, network traffic appears to be going to a trusted Adobe address, which can bypass many security scanners that whitelist such domains. Second, it likely allows the attackers to track which victims actually clicked through and submitted their credentials, enabling them to focus follow-up attempts.
Adobe Target is widely used by enterprises to test and optimize web experiences. By exploiting this legitimate service, the attackers gain a layer of credibility that is difficult for users to question. The obfuscated HTML file further complicates analysis by security software, as the code is heavily minified and encoded to avoid straightforward inspection.
Social Engineering and Scale
This campaign exemplifies how attackers are combining social engineering with technical tricks. The lure is perfectly timed for professionals who frequently receive LinkedIn-related messages. The pre-filled email field makes the phishing page feel personalized and reduces suspicion. Additionally, the use of a signed contract as the bait plays on the expectation that business deals often involve formal documents.
Malwarebytes researchers, who first identified the campaign, note that these attacks are cheap to execute and highly scalable. The same infrastructure can be reused with minor modifications to target thousands of professionals across different industries. As long as these tactics remain effective, they are likely to continue circulating.
Defense and Mitigation
While careful users can spot warning signs—such as the attachment being an HTML file rather than a PDF, or the URL in the browser showing an omtrdc.net domain instead of linkedin.com—a moment of distraction is often enough to fall victim. To protect against such attacks, users should avoid opening unsolicited attachments, especially those with unusual file extensions. Multi-factor authentication should be enabled for critical accounts, including LinkedIn, as it provides an additional layer of security even if credentials are compromised.
Furthermore, users should make it a habit to access their accounts only through official apps, by typing the official website URL directly into the browser, or via a bookmark they created themselves. Email security solutions can be configured to flag attachments with double extensions and to inspect redirection chains for unknown domains. Organizations should also educate employees about the risks of phishing and conduct regular simulated attacks to reinforce training.
Broader Implications
This incident highlights a growing trend: attackers are increasingly abusing trusted third-party services to host malicious content or redirect traffic. Services like Adobe Target, Google Analytics, and cloud storage platforms are often exempt from strict security checks, making them ideal vehicles for phishing and malware distribution. The cybersecurity community is calling for platform providers to implement better monitoring and abuse detection mechanisms to prevent their infrastructure from being used in such attacks.
For now, vigilance remains the best defense. As phishing techniques evolve, both individuals and organizations must continuously adapt their security practices to stay ahead of adversaries. The LinkedIn-themed campaign is a stark reminder that even the most trusted brands and platforms can be weaponized against unsuspecting users.
Source: Help Net Security News