News Daily Nation Digital News & Media Platform

collapse
Close menu
×
Home / Daily News Analysis / LinkedIn-themed phishing abuses Adobe’s A/B testing platform

LinkedIn-themed phishing abuses Adobe’s A/B testing platform

Jun 27, 2026  Twila Rosenbaum  2 views
LinkedIn-themed phishing abuses Adobe’s A/B testing platform

A newly documented phishing campaign is targeting professionals with fake LinkedIn business emails and abusing a trusted service operated by Adobe. The attack leverages Adobe Target, a legitimate A/B testing platform hosted at the omtrdc.net domain, to mask malicious traffic as trusted network activity. By pre-filling the victim's email address into a fake LinkedIn login page, the attackers create a sense of personalization and urgency that increases the likelihood of credential theft.

Key facts about the attack

  • Attack vector: Email impersonating a business inquiry, with an attached HTML file disguised as a PDF using double extensions.
  • Technology abused: Adobe Target (A/B testing platform at omtrdc.net) used as a redirect to track victims and evade security filters.
  • Payload: A fake LinkedIn login page that captures credentials when submitted. After login, victims are redirected to the real LinkedIn to avoid suspicion.
  • Target: Professionals who regularly receive LinkedIn business messages, making the lure contextually relevant.
  • Detection evasion: Obfuscated HTML code and pre-filled email fields enhance trust and bypass many email security solutions.
  • Scalability: The campaign is cheap to run, easy to automate, and likely to persist as long as it remains profitable.

The attack from the victim’s perspective

The attack starts with an email that looks, at first glance, like a routine business inquiry: someone wants to do business with you through LinkedIn and has attached a signed contract for your review. The message is short and professional, and the sender company and name exist—though, if the potential victim checks, they will see that the sender does not appear to be working at that particular company. Those who open the attachment will be faced with a familiar-looking LinkedIn login page, with their email address already filled in. If they type their password and hit submit, they will be redirected to the real LinkedIn. In the background, the login credentials are sent to a server operated by the attackers.

The layers of deception

Attackers used several techniques to make this attack effective and hard to detect. Impersonating a legitimate platform is a common social engineering tactic, but here the lure is especially fitting because professionals constantly receive business inquiries through LinkedIn. The double extension trick—naming the file something like contract.docx.html—tricks users into thinking it is a harmless PDF or document. The HTML file is heavily obfuscated, making it difficult for signature-based security tools to analyze its intent. The pre-filled email field personalizes the page, lowering the victim’s guard. Finally, by routing traffic through Adobe Target, the attackers make network logs appear to point to a trusted Adobe domain. Adobe Target is a widely used A/B testing platform, so security systems that whitelist omtrdc.net will not flag the connection. The attackers can also use Adobe’s tracking capabilities to monitor which victims clicked through and submitted credentials, refining future campaigns.

Why this is a growing threat

Phishing campaigns that abuse legitimate cloud services are becoming more common. Services like Amazon CloudFront, Firebase, and now Adobe Target provide attackers with free or low-cost hosting that is automatically trusted by many email filters and firewalls. The use of redirects from a trusted domain also helps the phishing link pass DMARC, DKIM, and SPF checks if the email body contains a link to omtrdc.net instead of a malicious domain. According to Malwarebytes researchers, these attacks are cheap, scalable, and likely to keep circulating. The barrier to entry is low: attackers can purchase email lists, template the HTML, and set up Adobe Target accounts quickly. As long as the return on investment remains positive, the campaign will continue.

Historical context: LinkedIn phishing

LinkedIn has long been a target for phishing because it contains a wealth of professional information that attackers can exploit. In 2023, researchers saw a surge in LinkedIn-themed credential harvesting campaigns that used fake connection requests or job offers. The current attack refines this pattern by adding the Adobe Target layer. For context, Adobe Target is part of Adobe Experience Cloud and is used by enterprises to test and personalize web content. Attackers creating an account on Adobe Target is relatively easy; some phishing groups have even leveraged free tiers of legitimate services to host their malicious pages. The trust in Adobe’s domain makes the attack more difficult to block without breaking legitimate business processes.

How to protect yourself

Careful users should be able to spot the phishing warning signs. The email address of the sender may not match the company domain, even if the display name looks correct. Hovering over links before clicking can reveal the true destination—though in this case the initial link may point to omtrdc.net, which looks legitimate. The easiest safeguard is to avoid opening unsolicited attachments, especially those that claim to be signed contracts or invoices. Instead, log into LinkedIn directly from your browser or official app and check for messages there. Multi-factor authentication (MFA) is essential: even if credentials are compromised, an attacker would need the second factor to log in. However, MFA is not foolproof if the attacker immediately proxies the session or uses a reverse proxy (though this campaign appears to simply steal credentials). Users should also make it a habit to access critical accounts only through official apps, by typing the official website directly into their browser, or via a bookmark they created themselves. Additionally, organizations should consider blocking or monitoring traffic to unknown subdomains of omtrdc.net if they do not use Adobe Target, and train employees to recognize social engineering lures that appear to come from LinkedIn.

The role of email security

Email security solutions need to adapt to attacks that abuse trusted third-party services. Traditional filters that rely on blocklists or reputation scoring will allow emails containing links to omtrdc.net because that domain has a high reputation. Advanced threat detection must analyze the link’s destination dynamically, even if the initial host is trusted. Sandboxing or URL detonation can help, but the obfuscated HTML may evade detection if the sandbox does not execute JavaScript properly. Behavioral analysis of the email content—looking for mismatches between display name and email address, or unusual requests for credentials—can flag suspicious messages. The campaign also highlights the importance of DMARC enforcement; if the sender domain is properly authenticated, it can reduce the chance of spoofing, but many organizations still lack strict DMARC policies.

Ultimately, the best defense is a combination of user awareness, layered security controls, and the use of MFA. As Malwarebytes researchers correctly note, these attacks are cheap, scalable, and likely to keep circulating. By understanding the tactics, users and organizations can better prepare for the next iteration.


Source: Help Net Security News


Share:

Related posts
Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.