Fake LinkedIn Emails Abuse Adobe Target to Track Phishing Victims
Cybercriminals are abusing Adobe Target's A/B testing infrastructure in a LinkedIn credential phishing campaign that uses double-extension attachments and obfuscated JavaScript.

Cybercriminals are abusing Adobe Target's A/B testing platform in a LinkedIn phishing campaign that steals credentials and then redirects victims to the legitimate LinkedIn site to avoid suspicion. The attack, detailed by Malwarebytes Labs, uses fake business inquiry emails that appear to come through LinkedIn and include a double-extension attachment named pdf.html.
The phishing email masquerades as a business inquiry with a fake signed contract attachment. Red flags include mismatched sender names, email addresses, and signatures, as well as a company that exists but not in the US. The attachment uses a double file extension to mislead recipients into thinking it is a PDF when it is actually an HTML file.
The attached HTML file contains heavily obfuscated JavaScript, using URL encoding and Base64 to hide its functionality. When opened, the file presents a simple login form with the target's email address hardcoded, preventing the victim from changing it. This design likely prevents researchers from flooding the receiving channel with fake credentials.
Network analysis reveals that the phishing flow abuses Adobe Target's omtrdc.net domain as a redirect and tracking point. The attackers use Adobe Target's infrastructure to track victims who fall for the phishing email, before redirecting them to the legitimate business.linkedin.com site to reduce suspicion. The actual credential harvesting is handled by a PHP file hosted on a .ru domain.
After deobfuscating the scripts, researchers found that submitted credentials are sent via POST to http://a1263367.xsph.ru/taam/Ln.php with the hardcoded email address and the entered password. The PHP file then handles the redirect to LinkedIn, making the victim think they logged in successfully.
This campaign demonstrates a growing trend of attackers abusing legitimate cloud infrastructure for malicious purposes. By leveraging Adobe Target's A/B testing platform, the attackers gain a reliable redirect and tracking mechanism that can evade simple blocklists. The use of a .ru domain for credential exfiltration further complicates takedown efforts.
To stay safe, users should avoid unsolicited attachments, check file extensions carefully, enable multi-factor authentication, and use up-to-date anti-malware solutions. Malwarebytes Scam Guard identified the email as a scam, highlighting the importance of using security tools that can detect such threats before they cause harm.
Malwarebytes' latest report adds technical detail on how the attackers obfuscate the HTML attachment with double extensions (disguising it as a PDF) and pre-fill the fake LinkedIn login form with the target's email address to increase credibility. The campaign also leverages Adobe Target's omtrdc.net domain to route victims through a legitimate A/B testing platform, making network traffic appear benign and enabling the attackers to track which targets submit credentials. Researchers emphasize that these attacks are cheap to produce, scalable, and likely to persist, urging users to enable multi-factor authentication and avoid opening unsolicited attachments.