I was a victim of a very similar scheme.
In Oct. 2016, my work email was compromised, which briefly allowed intruders to access the Doha News web host and Twitter account before I managed to get back control — changing passwords and enabling two-factor authentication everywhere.
Although I don’t have any email records of a “Safeena Malik”, I did get an enormous amount of phishing requests starting in May 2016, including Hangout requests from people I knew, false alerts saying someone had logged into one of my accounts — and the one that most likely got me, someone connecting with me on LinkedIn and then asking me about collaborating on an article.
He sent me a Google Doc, and when I clicked on it, it would ask me to login to my Google account before giving me access to the document. Notably, it went to https://myuser.info/omar, which was skinned to look like my account, with my email and profile photo.