Skip to main content
Emerging Threats

Phishing Campaign Targets Google Accounts with Fake Job Interviews

Marketing professional looks concerned, holding smartphone amidst papers and laptop.

At least 34 domains are impersonating high‑value companies in a coordinated phishing operation that uses fake job interviews to trick marketing professionals into surrendering Google account credentials, according to analysis by Will Thomas of Team Cymru and reporting by BleepingComputer.

How the phishing flow is assembled

The campaign begins with an email that appears to come from “a recruiter looking to hire people for marketing roles,” Will Thomas found. The operation leverages the PeopleForce human resources platform to lend legitimacy to initial contact, but the underlying links ultimately resolve to the exct[.]net domain — a remnant of ExactTarget now operated by Salesforce and rebranded as Salesforce Marketing Cloud.

From exct[.]net the chain redirects to the Wise Agent cloud CRM (wiseagent[.]com), and that service then forwards victims to the attacker-controlled landing page. Thomas described this use of nested redirects — routing visitors through multiple legitimate services — as central to the campaign’s ability to appear trustworthy and evade simple detection.

Brands impersonated and the sector mix

Thomas uncovered at least 34 domains impersonating more than 30 well‑known brands. The targeted names span several sectors and include:

  • Airlines and travel: American Airlines, Booking.com, Delta Air Lines, United Airlines
  • Food and beverage: Coca‑Cola, PepsiCo, Red Bull
  • Apparel and luxury goods: Adidas, Louis Vuitton, Sephora, Levis
  • Staffing, consulting, and tech: Adobe, Aquent, ManpowerGroup, McKinsey & Company, OpenAI
  • Hospitality and marketing: Marriott, Omnicom Group
  • Entertainment and sports: FIFA, Netflix

The campaign primarily targets marketing professionals, using job opportunity lures that are directly relevant to the recipients’ day‑to‑day work and therefore more likely to result in clicks.

The Adidas example and the browser‑in‑the‑browser trick

BleepingComputer detailed a concrete example in which a phishing message, posing as an Adidas recruiter named Paulina Manzo, asked the recipient to schedule a conversation about a potential role. When the target clicked the calendar link they were redirected to adidas‑hiring[.]com and prompted to “Continue with Google.”

Clicking that button generated a fake Google sign‑in popup rendered inside the phishing page. Although it could look like an actual browser authentication window, the popup was built with HTML and CSS on the page itself — a technique known as browser‑in‑the‑browser (BitB). The attacker’s use of modern web development tools allows close imitation of every element of a legitimate authentication prompt, increasing the chance that a user will enter credentials.

What investigators observed and how the platforms were used

Thomas’ investigation shows the attacker routes victims through legitimate cloud services rather than hosting every element themselves. While it is unclear how the threat actor gained access to the legitimate platforms, the analysis notes that abusing them does not necessarily imply the services were compromised. Two possibilities Thomas identified are: creating a genuine account for the campaign, or using compromised logins to configure redirects and landing pages.

BleepingComputer reported the campaign has been active for at least five months and that early iterations used Outlook addresses bearing the impersonated companies’ names. Thomas has published a list of the domains he discovered on GitHub for defenders and researchers to review.

What this means for security teams, marketing professionals, and job candidates

  • Security teams: The nested‑redirect pattern and BitB popups complicate automated detection. Teams should expect credential‑harvesting attempts that use legitimate cloud services as intermediate hops and prioritize controls that validate OAuth flows and detect in‑page spoofing.
  • Marketing professionals and recruiters: Because the lures are job‑related and invoke real recruiter names and photos, recruiting teams should be aware that their brand and people can be co‑opted in these scams and may need communication to candidates clarifying legitimate hiring processes.
  • Job candidates and end users: Requests to “Continue with Google” that follow unexpected calendar or scheduling links can be abusive; where possible, verify recruiter identity through known corporate channels before entering credentials, and be wary of sign‑in popups rendered inside web pages.

The campaign’s mix of real‑looking recruiter details, nested redirects through legitimate services, and in‑page fake authentication popups illustrates how social engineering and web‑tech techniques are being combined to bypass trust cues. The immediate practical artifacts — the exct[.]net resolution, the wiseagent[.]com handoff, and attacker domains like adidas‑hiring[.]com — give defenders concrete signals to hunt and block while Thomas’ GitHub list offers a starting blocklist for responders.

Original BleepingComputer story