LinkedIn Phishing Scam Uses Fake InMail to Deliver ConnectWise RAT

by | Mar 6, 2025 | News

LinkedIn Phishing Scam Uses Fake InMail to Deliver ConnectWise RAT

Post Views: 20




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Overview

Cybersecurity researchers at Cofense have uncovered a LinkedIn phishing campaign distributing the ConnectWise Remote Access Trojan (RAT). Unlike traditional LinkedIn-themed phishing attacks that steal credentials, this campaign delivers malware via spoofed InMail notifications.

Attackers exploit LinkedIn’s branding and fake a request for a product or service quote, creating a sense of urgency to trick recipients into downloading the malicious RAT installer.

How the LinkedIn Phishing Attack Works

1. Fake LinkedIn InMail Notification

  • Victims receive a spoofed LinkedIn email, mimicking an InMail request from a Sales Director.
  • The email appears legitimate but uses outdated LinkedIn branding from before 2020.
  • Attackers use a real person’s profile picture but a fabricated company name to increase credibility.

2. Social Engineering Tactics

  • The email does not directly request downloads to avoid suspicion.
  • Clicking “Read More” or “Reply To” triggers a hidden download of the ConnectWise RAT installer.

3. Email Spoofing & Bypassing Security

  • The email fails SPF & DKIM authentication, proving it did not originate from LinkedIn.
  • However, weak DMARC settings allow the email to land in inboxes instead of being rejected.
  • The Secure Email Gateway (SEG) fails to block the phishing email, enabling widespread delivery.
LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise TrojanLinkedIn’s 2020 Branding (Source: Cofense)

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Why This Attack Is Dangerous

  • Highly convincing LinkedIn branding increases trust.
  • No direct download prompts to avoid suspicion.
  • Bypasses email security due to weak SPF, DKIM, and DMARC settings.
  • Deploys ConnectWise RAT, allowing remote control, data theft, and lateral movement.

Trending: Breaking Down Active and Passive Reconnaissance




Trending: Recon Tool: getJS

How to Protect Against This LinkedIn Phishing Attack

  • Verify LinkedIn InMail Messages – Always check LinkedIn directly instead of clicking email links.
  • Check SPF, DKIM & DMARC Policies – Configure DMARC to reject unauthenticated emails.
  • Train Employees on Phishing Tactics – Educate teams on fake InMail scams & social engineering.
  • Secure Email Gateway (SEG) Enhancements – Block emails with failed SPF/DKIM checks.
  • Endpoint Protection & Network Monitoring – Detect suspicious RAT activity & prevent infections.

Trending: Massive Botnet Attack Targets Microsoft 365: 130,000 Devices Exploiting Legacy Authentication

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This