LinkedIn InMail Spoofing Malware Campaign Unleashes ConnectWise RAT

Cybersecurity defenders are confronting yet another sophisticated phishing tactic that uses the trusted LinkedIn brand.

Recently detailed by Cofense, the campaign uses a spoofed LinkedIn InMail notification to distribute the ConnectWise Remote Access Trojan (RAT). The attackers aim to deceive recipients with an email that mimics a legitimate business inquiry, prompting them to unwittingly download malicious software.

Crafting a convincing deception

The campaign’s email is meticulously designed to appear as if it originates from a LinkedIn InMail notification — a feature that lets users communicate with professionals outside their network. However, subtle indicators reveal the deception:

• The email employs an outdated template, reminiscent of LinkedIn’s pre-2020 interface, to resonate with users familiar with the older design.
• It purports to be from a sales director seeking a quote. It includes a profile image of Cho So-young, a real individual, repurposed to boost authenticity.
• The supposed company, “DONGJIN Weidmüller Korea Ind.,” cleverly blends names from legitimate entities, though no such firm exists.

Bypassing security protocols

Despite these red flags, the email bypassed modern security defenses. An analysis of its security headers reveals that the Sender Policy Framework (SPF) check resulted in a softfail due to an unauthorized IP address.

Additionally, the absence of a proper DomainKeys Identified Mail (DKIM) signature — ordinarily present in legitimate LinkedIn communications — further underscores its fraudulent nature. Interestingly, the configured Domain-Based Message Authentication, Reporting and Conformance (DMARC) policy, which marked suspicious emails as spam rather than rejecting them outright, enabled the email to slip past even robust systems like Microsoft Defender for Endpoint.

The operational mechanics of the attack

Once a user interacts with the email by clicking the “Read More” or “Reply To” buttons, an embedded link silently triggers the download of the ConnectWise RAT installer.

The campaign does not push a direct “download” command — a tactic often associated with malware delivery — but instead relies on the pretext of a legitimate business inquiry. This subtle approach is designed to lower the guard of even cautious users, particularly those accustomed to LinkedIn’s messaging interface.

Why this matters to organizations

For organizations, the implications of such sophisticated phishing campaigns are significant. This attack is a prime example of how threat actors repurpose trusted brands to exploit human psychology and bypass technical defenses.

A successful compromise could grant adversaries remote access to critical systems, leading to data breaches, operational disruptions, and substantial financial losses. In today’s interconnected business environment, maintaining robust email authentication measures and continuous employee training is not just advisable — it is essential. You must scrutinize even seemingly routine communications and implement advanced security protocols to safeguard your digital assets.

Explore the best ways to improve your email security and protect your organization from evolving cyber threats.