Skip to main content

Phishing Campaign Targets Google Accounts with Big-Brand Job Interviews

Person working at desk with laptop and papers in a home office setting.

"the phishing email pretends to be from 'a recruiter looking to hire people for marketing roles,'" Will Thomas wrote after analyzing a long-running campaign that uses fake job interviews to steal Google account credentials.

The phishing chain: PeopleForce → exct[.]net → Wise Agent → malicious landing page

Thomas, a senior advisor at cybersecurity intelligence and threat hunting company Team Cymru, mapped a multi-stage redirect chain that begins with legitimate cloud services and ends at an attacker-controlled sign-in page. The emails appear to originate from the PeopleForce human resources platform. Under the hood, the links resolve to the exct[.]net domain — the remnant of ExactTarget now operated by Salesforce Marketing Cloud — which then redirects to the Wise Agent cloud-based CRM at wiseagent[.]com before forwarding visitors to the phishing landing page.

That nested-redirect path uses the appearance of legitimate services to increase trust and evade simple filtering. BleepingComputer reports the operation has been running for at least five months and initially used Outlook email addresses that carried the impersonated company name.

Brands targeted and scale: at least 34 domains impersonating high-value firms

Thomas identified at least 34 domains set up to impersonate more than 30 well-known brands. The impersonation list spans multiple sectors and includes airlines and travel (American Airlines, Booking.com, Delta Air Lines, United Airlines); food and beverage (Coca-Cola, PepsiCo, Red Bull); apparel and luxury goods (Adidas, Louis Vuitton, Sephora, Levis); staffing, consulting, and tech (Adobe, Aquent, ManpowerGroup, McKinsey & Company, OpenAI); hospitality and marketing (Marriott, Omnicom Group); and entertainment and sports (FIFA, Netflix).

The campaign specifically targets marketing professionals, seeking to recruit them for roles that plausibly match their skills and thereby increase the likelihood of interaction with the malicious content.

Techniques: real recruiter names, calendar invites, and browser-in-the-browser

To build credibility the threat actor uses the names and pictures of real recruiters at the impersonated companies. In one documented example, an email posing as Adidas recruiter Paulina Manzo asked a recipient to schedule a conversation about a potential role. A calendar link redirected the user to a landing page hosted at adidas-hiring[.]com.

On that page, victims are prompted to "Continue with Google." Clicking the button triggers a fake Google sign-in popup rendered inside the phishing page using a browser-in-the-browser (BitB) technique: the popup is not a real browser window but HTML and CSS crafted to mimic the legitimate Google authentication dialog. As the analysis notes, modern web development tools allow attackers to imitate all elements of an authentication popup, raising the visual stakes for would-be victims.

Why the campaign succeeds — and why abuse of legitimate platforms matters

Thomas’ write-up emphasizes that abusing legitimate platforms does not necessarily indicate a compromise of those services. The campaign could be using valid accounts created specifically for the operation or compromised credentials to configure redirects and landing pages. Either approach gives the attacker a veneer of legitimacy: when a link routes through recognized services, recipients are more likely to click.

Nested redirects also complicate detection and analysis, since traffic appears to traverse known vendors before reaching the malicious endpoint. BleepingComputer’s timeline shows the campaign has persisted for months, underlining the operational effectiveness of that strategy.

What this means for technologists, marketing professionals, and platform providers

  • Technologists and security teams: watch for suspicious redirect chains that resolve through legitimate vendors, and monitor sign-in prompts rendered inside web pages (BitB). The campaign’s use of calendar scheduling and recruiter imagery suggests detection rules should flag unusual use of HR platform links and newly registered domains mimicking corporate recruiting pages.
  • Marketing professionals and job candidates: exercise caution when contacted out of the blue about roles you did not apply for. The campaign specifically targets marketing staff with credible-sounding messages and real recruiter names; when asked to "Continue with Google" from a web page, pause and verify the sender through independent channels.
  • Platform providers (PeopleForce, Salesforce/ExactTarget, Wise Agent): the campaign’s reliance on your redirect chains makes it important to investigate whether attacker accounts are being created legitimately or via compromised logins, and to consider controls that limit external redirect configuration or flag patterns consistent with recruiting-themed social engineering.

The campaign’s operator maintains at least 34 impersonation domains and has run for months; a list of the domains Thomas discovered is available in his analysis on GitHub, the researcher reports. The episode is a reminder that social engineering increasingly layers technical mimicry on top of trusted services to harvest credentials.

Original reporting: BleepingComputer — Phishing poses as big-brand job interview to steal Google accounts