HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Phishing Campaign Uses Adobe Target to Harvest LinkedIn Credentials via Fake PDF Attachments

Cybercriminals are distributing LinkedIn‑style phishing emails with a double‑extension PDF attachment that runs obfuscated JavaScript, captures login credentials, and abuses an Adobe Target domain as a tracking redirect before sending victims to the real LinkedIn site. The technique is inexpensive, scalable, and poses a credential‑theft risk to any organization that engages with LinkedIn contacts.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

Phishing Campaign Uses Adobe Target to Harvest LinkedIn Credentials via Fake PDF Attachments

What Happened — Cybercriminals are sending LinkedIn‑style business‑inquiry emails that contain a malicious “contract.pdf.html” attachment. The attachment runs obfuscated JavaScript that displays a fake LinkedIn login form, captures the victim’s credentials, and forwards them to a Russian‑hosted PHP endpoint. The campaign abuses an Adobe Target domain (lnkd.tt.omtrdc.net) as a redirect/track point before sending the victim to the real LinkedIn site.

Why It Matters for TPRM

  • Credential theft from business partners can lead to downstream supply‑chain compromises.
  • Abuse of a legitimate SaaS provider (Adobe) as a tracking hub makes detection harder for downstream vendors.
  • The technique is cheap, scalable, and likely to appear in multiple industries that rely on LinkedIn for outreach.

Who Is Affected — Professional services, recruitment firms, B2B SaaS vendors, and any organization whose employees receive unsolicited LinkedIn‑style emails.

Recommended Actions

  • Update email gateway rules to block double‑extension files (e.g., *.pdf.html).
  • Enforce MFA on all LinkedIn and corporate accounts.
  • Monitor outbound traffic for unexpected POSTs to unknown .ru domains.
  • Conduct phishing‑awareness training focusing on “PDF asks for password” scenarios.

Technical Notes — Attack vector: phishing email with malicious HTML attachment. The script uses URL‑encoding and Base64 obfuscation, then posts AA (hard‑coded email) and BB (entered password) to http://a1263367.xsph.ru/taam/Ln.php. Adobe Target’s domain is leveraged only as a redirect/track point, not as the data‑exfil endpoint. Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-linkedin-emails-abuse-adobe-to-track-victims

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →