{“lastseen”:”2026-05-27T10:05:07″,”description”:”Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward.\\n\\nThe phishing email masquerades as a business inquiry designed to look like it’s come via LinkedIn and includes a fake \u201ccontract\u201d attachment. But it contains a number of red flags:\\n\\n * The sender name, email address, and email signature don\u2019t match\\n * The sender company exists, but not in the US\\n * The sender name exists, but not at that company\\n * The attachment has a double file extension: `pdf.html`\\n\\n\\n\\n\\u003e \\”I would like to do business with you via **LinkedIn**. I’m a buyer.\\n\\u003e \\n\\u003e Please find attached the signed contract No. #33110:12000pcs.\\n\\u003e \\n\\u003e I look forward to hearing from you. \\”\\n\\n* * *\\n\\n\\n\\n### Scam or legit? Scam Guard knows.\\n\\nTRY IT NOW\\n\\n* * *\\n\\nDouble file extensions are often used to mislead recipients into thinking a file is something other than what it really is. The attached HTML file is highly obfuscated. Basically, it\u2019s a one-line JavaScript.\\n\\n\\n\\nThe script uses two common obfuscation methods: URL encoding and Base64 . The script is divided into two Base64-encoded sections.\\n\\n\\n\\n\\n\\nWhen you open the attachment, you’ll find a simple login form.\\n\\n\\n\\nThe target’s email address is hardcoded, and you’re unable to change or remove it. Possibly because some researchers have no qualms about flooding the receiving channel with false credentials.\\n\\nBut figuring out the receiving channel is where it gets interesting. Network analysis reveals this URL:\\n\\n`https:\/\/lnkd.tt.omtrdc.net\/rest\/v1\/delivery`\\n\\nThis domain belongs to Adobe and is associated with the Adobe Target A\/B testing platform. But the campaign isn\u2019t using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect\/abuse point in the phishing flow. Most likely to track victims who fell for the phishing email.\\n\\nIn the end, it redirects the target to the legitimate `business.linkedin.com` site to reduce any suspicion the target may still have.\\n\\nAfter deobfuscating the scripts, we found the destination for the submitted credentials:\\n\\n\\n\\nAll in all, even with the level of obfuscation, the method is very raw and simple:\\n\\nPOST to: `http:\/\/a1263367.xsph.ru\/taam\/Ln.php`\\n\\nWith data:\\n\\n * AA = hardcoded email address\\n * BB = whatever password the user entered\\n\\n\\n\\nThe PHP file hosted on a `.ru` domain handles the redirect to LinkedIn, making the victim think they just logged in successfully.\\n\\n## How to stay safe\\n\\nThe good news: Once you know what to look for, these attacks are much easier to spot and block. The bad news: They\u2019re cheap, scalable, and likely to keep circulating.\\n\\nSo, the next time a \u201cPDF\u201d asks for your password in a browser, pause and think about what might be hiding underneath.\\n\\nBeyond avoiding unsolicited attachments, here are a few ways to stay safe:\\n\\n * Only access your accounts through official apps or by typing the official website directly into your browser.\\n * Check file extensions carefully. Even if a file looks like a PDF, it may not be.\\n * Enable multi-factor authentication for your critical accounts.\\n * Use an up-to-date, real-time anti-malware solution with a web protection module.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard recognized this email as a scam.\\n\\n* * *\\n\\n**Scammers don’t need to hack you. They just need you to click once.** \\n\\nMalwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.”,”published”:”2026-05-27T09:32:09″,”modified”:”2026-05-27T09:32:09″,”type”:”malwarebytes”,”title”:”Fake LinkedIn emails abuse Adobe to track victims”,”source”:””,”references”:””,”id”:”MALWAREBYTES:45C6C6B90F6408351BB6E9E4EC2242E9″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/05\/fake-linkedin-emails-abuse-adobe-to-track-victims”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-27T10:05:07″,”description”:”Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward.\\n\\nThe phishing email masquerades…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-57381","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n