Home Security LinkedIn AiTM Defense
Research bundle

LinkedIn AiTM Defense

AiTM phishing against LinkedIn captures the password and the li_at session cookie. MFA does not stop it. Here's what the attack actually looks like, how to spot it, and the controls that break it.

4 artifacts Updated May 02, 2026

What this bundle covers

LinkedIn does not get the same defensive attention as Microsoft 365. The detection content out there is thin, the mitigation guidance is mostly "enable 2FA" without saying which kind, and the IR procedures are scattered across LinkedIn help articles that read like marketing copy. We spent two weeks running a real AiTM proxy against LinkedIn in a controlled lab and used what we learned to write this bundle.

The attack itself is the same shape as the M365 version. Attacker registers a lookalike domain, deploys an evilginx-style proxy, sends a victim a link. Victim lands on a page that looks exactly like LinkedIn — same layout, same fonts, same flows. Every request goes through the proxy in real time. Credentials get captured on the way in. The session cookie (li_at) gets captured on the way out. With li_at alone, the attacker has the account for weeks. No password needed at replay time. Standard MFA does not help.

The bundle has four parts:

  • Threat model. What the attack actually does, what gets captured at each step, and which controls break which step. Read this first.
  • Detection. SPL queries for CASB and proxy logs, plus a standalone Python monitor that analyses LinkedIn login history exports. Three signals you can put into production today.
  • Mitigations. FIDO2 first. CASB second. Everything else is depth. With the rollout sequence and where each control fails.
  • Incident response. What to do when you suspect a LinkedIn AiTM compromise — revocation, scoping, notification, evidence preservation.

Who this is for

Anyone running a security program where LinkedIn is in scope: HR teams worried about recruiter accounts, exec protection programs, BD teams whose LinkedIn presence is critical, anyone who has had an executive's LinkedIn taken over and used to phish their network. The detection content assumes you have CASB or web-proxy log visibility into LinkedIn traffic. The mitigations work for individual users and for organizations on LinkedIn Enterprise products.

Why we wrote this

We build offensive tooling. We also publish defensive research from the same lab. This bundle is the second one — the Microsoft 365 AiTM Defense bundle was the first. Same approach: take a real attack we built and tested, then write up the defenses that actually stop it. No vendor pitches, no theoretical detections that look good but never fire on real traffic.

Status

Live. Threat model, detection bundle, mitigation guide, and IR runbook are published. Updates and additional detections will land here as the research continues.

Threat model & overview

LinkedIn AiTM phishing — what actually happens, step by step

High

The attack in plain English. What gets captured, when reCAPTCHA matters, why li_at is the prize, and which controls break which step.

T1566.002, T1539, T1078, T1056.003 10 min read

Detections

Detecting LinkedIn AiTM — three queries and a Python monitor

Medium

SPL queries for credentials submitted to a non-LinkedIn domain, li_at replayed from a new ASN, and impossible travel on the cookie. Plus a standalone Python tool for analysing LinkedIn login history exports.

Splunk SPL T1539, T1078, T1566.002 10 min read

Mitigations

Controls that break LinkedIn AiTM — FIDO2, CASB, and the ones that do not work

High

FIDO2 makes the attack structurally impossible. CASB session policies catch the rest. Password managers, security awareness, and SSO each have a role. With rollout sequence and where each fails.

T1539, T1078, T1056.003 10 min read

Playbooks

LinkedIn AiTM incident response runbook

High

Triage, contain, scope, notify, preserve evidence. The full sequence with exact LinkedIn URLs and timing expectations from real research.

T1539, T1078, T1098 10 min read

Need help deploying any of this?

Tuning these detections to your tenant, rolling out the Conditional Access policies, designing the IR runbook for your team — we do that work.

Talk to us about an engagement