Sophisticated Phishing Campaign Impersonates Top Brands to Steal Google Credentials
A new, highly sophisticated phishing campaign is targeting marketing professionals by impersonating over 30 global brands, including **Adobe**, **Netflix**, and **OpenAI**. This elaborate scheme leverages legitimate cloud platforms and real recruiter identities to trick victims into surrendering their **Google** account credentials.

Cybersecurity intelligence firm **Team Cymru** has uncovered an active phishing campaign exploiting the allure of high-profile job opportunities to compromise **Google** accounts.
### Leveraging Legitimate Platforms for Malicious Ends
The operation is designed to appear highly credible. Threat actors are abusing the legitimate cloud-based **PeopleForce** human resources platform and a domain associated with the **Salesforce Marketing Cloud** service. This allows them to route recipients through trusted services before ultimately redirecting them to a malicious landing page.
Further enhancing the illusion of legitimacy, the attackers are using the names and even pictures of real recruiters from the impersonated companies.
**Will Thomas**, Senior Advisor at **Team Cymru**, analyzed the campaign, noting that phishing emails are crafted to appear as direct communications from recruiters seeking marketing professionals.
### Broad Impersonation Across Diverse Sectors
Thomas's research identified at least 34 domains actively impersonating major companies across various high-value sectors, showcasing the campaign's broad reach:
* **Airlines and Travel**: **American Airlines**, **Booking.com**, **Delta Air Lines**, **United Airlines**
* **Food and Beverage**: **Coca-Cola**, **PepsiCo**, **Red Bull**
* **Apparel and Luxury Goods**: **Adidas**, **Louis Vuitton**, **Sephora**, **Levis**
* **Staffing, Consulting, and Tech**: **Adobe**, **Aquent**, **ManpowerGroup**, **McKinsey & Company**, **OpenAI**
* **Hospitality and Marketing**: **Marriott**, **Omnicom Group**
* **Entertainment and Sports**: **FIFA**, **Netflix**
### Nested Redirects and Browser-in-the-Browser Technique
The campaign employs a sophisticated technique known as nested redirects. This involves routing victims through multiple legitimate services before they reach the final malicious page. Thomas's analysis revealed that while emails appear to originate from **PeopleForce**, the underlying links resolve to the `exct[.]net` domain, operated by **Salesforce** (following its acquisition of **ExactTarget**, now **Salesforce Marketing Cloud**).
This `ExactTarget` redirect then forwards to **Wise Agent** (`wiseagent[.]com`), a cloud-based real estate **CRM** software, before finally landing on the phishing page.
Investigations show the operation has been active for at least five months, initially using **Outlook** email addresses with the impersonated company's name.
An example email, posing as **Adidas** recruiter **Paulina Manzo**, invited a recipient to schedule a conversation about a potential role.

Clicking the scheduling link redirected the victim to the threat actor's landing page, `adidas-hiring[.]com`. To proceed with scheduling, the victim was prompted to sign into their **Google** account.

The "Continue with Google" button triggered a fake **Google** sign-in popup. This popup, however, is not a genuine browser window but rather HTML and CSS code rendered within the phishing page itself β a technique known as **browser-in-the-browser (BitB)**.

This **BitB** technique allows attackers to mimic all elements of a legitimate authentication pop-up, making it incredibly difficult for an unsuspecting user to differentiate it from a real sign-in prompt.
### Access and Mitigation
While it's not clear how the threat actors gained access to configure these legitimate platforms, it doesn't necessarily imply a compromise of the services themselves. Potential avenues include creating genuine accounts specifically for the campaign or using compromised logins to configure the redirect chains and landing pages.
A comprehensive list of domains discovered in this phishing campaign is available in **Will Thomasβ** analysis on **GitHub**.
[Will Thomas' analysis](https://gist.github.com/BushidoUK/57c38d5ee75481fb237e968a537de778)