general · BleepingComputer
A phishing campaign is impersonating over 30 major brands—including Adobe, Netflix, Coca-Cola, and OpenAI—to steal Google account credentials from marketing professionals. The attackers pose as recruiters conducting fake job interviews, using real names and pictures of legitimate company staff to build credibility. The campaign abuses the PeopleForce HR platform and a Salesforce Marketing Cloud domain, then redirects victims through nested legitimate services (including Wise Agent CRM) to malicious landing pages. Once targeted users click to schedule an interview, they encounter a browser-in-the-browser technique that mimics Google's login interface, allowing credential theft without leaving the attacker's page. According to researcher Will Thomas at Team Cymru, the operation has run for at least five months and targets sectors including airlines, food and beverage, apparel, tech, hospitality, and entertainment.
For Omniware's buyers, this campaign underscores the persistent risk of credential compromise despite MFA adoption. SaaS teams and healthcare providers relying on Google Workspace or Microsoft authentication should review email security controls and user training; defense contractors handling CUI should ensure marketing and recruiting staff understand phishing red flags and are aware that legitimate job inquiries may be weaponized. The nested-redirect and browser-in-the-browser techniques also highlight why endpoint detection and response (EDR) telemetry on credential submission events matters for CMMC compliance. An Omniware engagement can scope your organization's email filtering, user awareness program, and identity-layer controls in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/
Source: BleepingComputer
All briefings