The phishing emails are carefully crafted to resemble LinkedIn notifications. They feature an outdated LinkedIn template from before 2020, a tactic likely meant to resonate with users familiar with older designs. The emails also impersonate a sales director requesting a quote, including a real profile picture to enhance credibility. The supposed company, “DONGJIN Weidmüller Korea Ind.,” blends names from legitimate firms, but does not actually exist.
Despite its fraudulent nature, the email evades security protocols. The Sender Policy Framework (SPF) check results in a softfail, indicating an unauthorized IP address, while the lack of a proper DomainKeys Identified Mail (DKIM) signature—normally present in genuine LinkedIn communications—further exposes its deception. Additionally, the misconfigured DMARC policy allows the email to bypass Microsoft Defender for Endpoint, reaching users’ inboxes instead of being blocked outright.
The attack unfolds when recipients click the “Read More” or “Reply To” buttons, which silently trigger the download of the ConnectWise RAT installer. Instead of using a direct “download” command, the campaign mimics a legitimate business inquiry, lowering the defenses of cautious users who are used to LinkedIn’s messaging interface.
This attack highlights the growing sophistication of phishing campaigns and how cybercriminals manipulate trust in well-known brands to bypass security measures. If successful, such attacks can grant adversaries remote access to sensitive systems, leading to data breaches, operational disruptions, and financial losses. Organizations must reinforce email authentication protocols, train employees to recognize phishing attempts, and adopt advanced security measures to mitigate these evolving threats.
Source: eSecurity Planet
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.