Skip to content
.ca
sign in
5 minmedium

One Click Away: Inside a LinkedIn Phishing Attack

A recent phishing campaign observed by the Cofense Phishing Defense Center uses highly realistic, spoofed LinkedIn notification emails to harvest user credentials. The attack leverages newly created sender domains and typosquatted landing pages to bypass traditional defenses and trick users into entering their login details on fraudulent portals.

Conf:highAnalyzed:2026-03-30reports

Authors: Enrico Silverio

PhishingTyposquattingSocial EngineeringCredential HarvestingLinkedIn Spoofing

Source:Cofense

IOCs · 4

Key Takeaways

  • Threat actors are utilizing highly convincing spoofed LinkedIn notification emails to harvest user credentials.
  • The campaign leverages newly registered domains (e.g., khanieteam.com) to bypass initial email reputation filters.
  • Victims are directed to typosquatted domains (e.g., inedin.digital) hosting fraudulent login pages that closely mimic the legitimate LinkedIn portal.
  • The attack chain involves a multi-stage redirection process, ultimately leading to a secondary payload URL.

Affected Systems

  • Corporate Email Users
  • LinkedIn Users

Attack Chain

The attack begins with a spoofed email mimicking a LinkedIn notification about a business opportunity, sent from a newly registered domain (khanieteam.com). When the victim clicks the embedded link, they are directed to a Stage 1 infection URL hosted on a typosquatted domain (inedin.digital). This page presents a fraudulent LinkedIn login portal designed to harvest credentials. Following interaction, the attack chain involves a Stage 2 payload URL (singletoncop.info), likely used for processing the stolen credentials.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, queries, or signatures.

Detection Engineering Assessment

EDR Visibility: None — This is a web-based credential harvesting attack; EDR sensors typically do not monitor external web page content or standalone browser interactions unless integrated with specific web-protection modules. Network Visibility: Medium — Network proxies and DNS logs can capture resolutions and HTTP/HTTPS requests to the malicious domains, though the payload content is encrypted via HTTPS. Detection Difficulty: Moderate — Detecting this relies on identifying newly registered domains and typosquatting, which can be automated but requires robust threat intelligence and URL analysis capabilities.

Required Log Sources

  • Email Gateway Logs
  • DNS Logs
  • Web Proxy Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search email gateway logs for inbound messages containing links to newly registered domains (less than 30 days old) combined with display names matching well-known brands.Email Gateway LogsInitial AccessMedium
Query DNS logs for resolutions to domains containing variations or typos of 'linkedin' (e.g., 'inedin').DNS LogsExecutionLow

Control Gaps

  • Email Authentication (DMARC/SPF) bypass if the threat actor uses properly configured, newly registered domains.
  • Lack of real-time URL rewriting and time-of-click analysis.

Key Behavioral Indicators

  • Emails with display names matching well-known brands but originating from completely unrelated sender domains.
  • Links pointing to typosquatted domains designed to visually deceive users.

False Positive Assessment

  • Low for the specific domains and the Stage 2 IP. However, blocking the Stage 1 IPs (104.21.x.x) carries a High false positive risk as they belong to Cloudflare's CDN infrastructure and host many legitimate sites. Blocking should be done at the domain/URL level.

Recommendations

Immediate Mitigation

  • Block the identified domains (khanieteam.com, inedin.digital, singletoncop.info) and the Stage 2 IP (192.99.81.100) in web proxies and firewalls.
  • Search email gateways for messages originating from khanieteam.com and retroactively remove them from user inboxes.

Infrastructure Hardening

  • Deploy URL rewriting and time-of-click analysis for all inbound emails to protect users from newly categorized malicious links.
  • Implement strict DMARC, SPF, and DKIM checking, and flag emails from newly registered domains.

User Protection

  • Enforce Multi-Factor Authentication (MFA) across all corporate accounts to mitigate the impact of compromised credentials.
  • Encourage the use of enterprise password managers, which will not auto-fill credentials on mismatched or typosquatted domains.

Security Awareness

  • Train users to verify the actual sender email address, not just the display name, especially for notification emails.
  • Educate employees on the risks of clicking links in unexpected notification emails and encourage them to navigate to platforms directly via bookmarks.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1583.001 - Acquire Infrastructure: Domains
  • T1056.002 - Input Capture: GUI Input Capture

Additional IOCs

  • Ips:
    • 104[.]21[.]80[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]64[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]112[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]48[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]16[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]32[.]1 - Stage 1 Infection URL IP (Cloudflare)
    • 104[.]21[.]96[.]1 - Stage 1 Infection URL IP (Cloudflare)
  • Domains:
    • notifcation[.]inedin[.]digital - Subdomain used for the Stage 1 credential harvesting page.
    • singletoncop[.]info - Domain hosting the Stage 2 payload.
  • Other:
    • info@khanieteam.com - Sender email address observed in the phishing campaign.

Related