Phishing campaign uses fake brand interviews to target Google accounts
A phishing operation is impersonating more than 30 major companies, including Adobe, Netflix, Coca-Cola, OpenAI, and others, in an effort to steal Google account credentials from marketing professiona...
A phishing operation is impersonating more than 30 major companies, including Adobe, Netflix, Coca-Cola, OpenAI, and others, in an effort to steal Google account credentials from marketing professionals. Security researchers say the campaign is built around fake job-interview outreach that appears to come from legitimate recruiters.
According to analysis by Will Thomas of Team Cymru, the attackers are sending messages that claim to be from hiring teams looking for candidates for marketing roles. The emails borrow the names and photos of real recruiters and direct recipients to scheduling pages designed to look credible.
How the campaign works
The operation appears to rely on legitimate cloud services to hide the malicious infrastructure behind multiple layers of redirects. The phishing messages use the PeopleForce human resources platform and a domain tied to Salesforce Marketing Cloud before sending victims onward to a harmful landing page.
Researchers found that the chain of redirects begins with a domain associated with Salesforce’s ExactTarget service, then passes through Wise Agent, a cloud-based CRM platform, before landing on the phishing site. This approach helps the links appear trustworthy while making the final destination harder to spot.
The campaign is using at least 34 domains that imitate brands across several industries:
- Airlines and travel, including American Airlines, Booking.com, Delta Air Lines, and United Airlines
- Food and beverage brands such as Coca-Cola, PepsiCo, and Red Bull
- Fashion and luxury names including Adidas, Louis Vuitton, Sephora, and Levi’s
- Staffing, consulting, and tech firms such as Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI
- Hospitality, marketing, entertainment, and sports brands including Marriott, Omnicom Group, FIFA, and Netflix
BleepingComputer reports that the activity has been ongoing for at least five months. Early versions reportedly used Outlook addresses that included the impersonated company name.
In one example, a message posed as an Adidas recruiter and invited the recipient to schedule a conversation. Clicking the link led to a site that required the user to sign in with Google to continue. The login prompt was a browser-in-the-browser imitation, meaning the fake sign-in window was built directly into the page using standard web styling rather than being a real browser dialog.
It is not yet clear how the attackers obtained access to the legitimate services used in the redirect chain. Researchers said the abuse does not necessarily mean those platforms were compromised, and could involve either newly created accounts or stolen credentials.
