Connect with us

Hi, what are you looking for?



US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

An open redirection vulnerability in the popular job search platform Indeed has been exploited in a series of phishing attacks.

A recent phishing campaign targeting executives in senior roles has been exploiting an open redirection vulnerability in the Indeed website, cybersecurity firm Menlo Security warns.

Headquartered in the US, Indeed is a popular worldwide job search platform, which claims to have more than 350 million unique visitors each month, and more than 14,000 employees globally.

Given its high popularity, the platform is seen as a trusted source by phishing prevention products, and the newly identified phishing campaign shows how threat actors can abuse that trust.

According to Menlo Security, starting July 2023, adversaries have been observed exploiting an open redirection flaw in the website to take victims to a phishing page designed to steal their Microsoft credentials.

The attacks were mainly focused on C-suite employees and other executives at banking and financial services, insurance, property management and real estate, and manufacturing organizations, mainly in the US.

As part of the attack, the victim would receive a phishing email containing a link seemingly taking the recipient to When clicking the link, however, the victim would be taken to a fake Microsoft login page deployed using the EvilProxy phishing framework.

Fetching all page content dynamically from the legitimate Microsoft domain, the phishing kit acts as a reverse proxy, allowing the attacker to intercept the victim’s credentials before they are sent to the actual login page.

Furthermore, the phishing kit also steals the victim’s session cookies, which the attacker can then use to impersonate the victim and access their Microsoft account, bypassing some multi-factor authentication (MFA) mechanisms.

Advertisement. Scroll to continue reading.

The attack, Menlo Security explains, relied on the fact that the website could be abused to redirect visitors to an untrusted external resource.

As part of the campaign, the attackers were seen using the subdomain ‘lmo.’ and hosting their phishing pages on nginx servers that could act as reverse proxies.

“The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site,” Menlo explains.

The cybersecurity firm has reported the open redirection issue and the observed malicious activity to Indeed, but it is unclear whether the employment website has addressed it.

“Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise, where the potential impact could range from identity theft, intellectual property theft and massive financial losses,” Menlo notes.

Proofpoint recently reported seeing a similar phishing campaign, targeting executives at over 100 organizations using the EvilProxy phishing tool. In those attacks, cybercriminals leveraged other legitimate services, such as YouTube, for redirections. 

Update, October 10:

“On October 3, we resolved a vulnerability that allowed malicious actors to use Indeed’s domain in social engineering attacks. No Indeed user data was improperly accessed. Our engineering teams are engaged in security incident response and are taking steps to prevent a recurrence,” an Indeed spokesperson told SecurityWeek in an emailed comment.

Related: New Phishing Campaign Launched via Google Looker Studio

Related: Malicious QR Codes Used in Phishing Attack Targeting US Energy Company

Related: New ‘Greatness’ Phishing-as-a-Service Targets Microsoft 365 Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...