VYPR
phishingPublished Jul 6, 2026· 1 source

Phishing Campaign Impersonates Major Brands to Steal Google Accounts via Fake Job Offers

A sophisticated phishing campaign is impersonating over 30 major brands, including Adobe, Netflix, and OpenAI, to trick marketing professionals into revealing their Google account credentials through fake job interview invitations.

A widespread phishing campaign is actively impersonating more than 30 well-known global brands, such as Adobe, Netflix, Coca-Cola, and OpenAI, by leveraging fake job interview invitations to harvest Google account credentials. The operation specifically targets marketing professionals, aiming to exploit their interest in career advancement.

The threat actor behind this campaign is employing a multi-stage redirection technique that abuses legitimate cloud services to mask the malicious intent. Initially, phishing emails appear to originate from the PeopleForce human resources platform. However, the embedded links are designed to route victims through a domain associated with Salesforce Marketing Cloud before ultimately landing on a malicious page controlled by the attackers. This complex chain of redirects is intended to bypass security filters and instill a false sense of legitimacy.

To enhance the credibility of these phishing attempts, the attackers are meticulously using the names and profile pictures of real recruiters from the impersonated companies. This tactic aims to create a personalized and convincing lure, making recipients more likely to engage with the fake job offer. The campaign has been observed to be active for at least five months, demonstrating sustained operational activity.

The phishing emails typically present themselves as recruitment outreach for marketing roles. For instance, one observed email, purportedly from an Adidas recruiter, invited the recipient to schedule a conversation about a potential position. Clicking on the provided link, however, redirects the user to a fake landing page, such as adidas-hiring[.]com, designed to mimic the brand's legitimate online presence.

Upon reaching the fake landing page, victims are prompted to sign into their Google account to proceed with scheduling a meeting. This step triggers a fake Google sign-in pop-up, which is not a genuine browser window but rather an HTML and CSS-based imitation created within the phishing page itself. This technique, known as browser-in-the-browser (BitB), is used to convincingly replicate the appearance of Google's authentication interface.

By tricking users into interacting with this fake authentication form, the attackers can capture the entered Google account credentials, including usernames and passwords. The use of the "Continue with Google" button further streamlines the process for the victim, making the credential submission appear as a standard and secure login procedure. Successful compromise of a Google account can grant attackers access to a wide array of sensitive data and services linked to that account, including emails, documents, and other personal information.

While the exact method by which the threat actors gained access to legitimate platforms like PeopleForce and Salesforce Marketing Cloud remains unclear, it is speculated that they may have created genuine accounts for the campaign or utilized compromised credentials. This abuse of legitimate services does not necessarily indicate a breach of those platforms but rather a clever exploitation of their functionalities for malicious purposes. A comprehensive list of domains identified in this campaign is available in the analysis by researcher Will Thomas.

Synthesized by Vypr AI