Cybersecurity researchers at Cofense have uncovered a phishing campaign using fake LinkedIn InMail notifications to distribute the ConnectWise RAT. Unlike typical LinkedIn scams that steal credentials, this attack installs a remote access trojan. The fraudulent emails mimic LinkedIn branding but use an outdated template from before the platform’s 2020 redesign, making them appear legitimate at first glance.

The email claims to be from a sales director requesting a product quote, creating urgency to lure victims. However, the sender and company are fabricated, with the profile photo belonging to a real but unrelated individual. Clicking the embedded “Read More” or “Reply To” buttons downloads the malware without directly prompting the user, a tactic designed to bypass suspicion. Security analysis reveals the email fails SPF and DKIM authentication checks, confirming it is not from LinkedIn.

Despite these red flags, weak DMARC settings allowed the emails to bypass security measures. Active since at least May 2024, this campaign highlights the growing sophistication of phishing tactics. Organizations can mitigate risks by educating employees on phishing indicators, enforcing strict email authentication (SPF, DKIM, DMARC), and configuring Secure Email Gateways to block such threats.