Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials
A sophisticated multi-stage phishing operation has been active since April 2025, systematically exploiting legitimate SaaS platforms and cloud services to steal corporate credentials. The campaign utilizes 232 phishing domains and 80 command-and-control servers, primarily impersonating human resources consulting firms, with Robert Half Inc. and Aquent LLC representing 50% of targeted brands. Attackers leverage legitimate platforms like Salesforce, SendGrid, and Zoho for email delivery, directing victims to fake Calendly interview pages that mimic real recruiter identities. The operation deploys an adversary-in-the-middle toolkit using browser-in-the-box techniques to create replica Google sign-in pages, capable of harvesting credentials and bypassing MFA through email, SMS, Google Authenticator, and prompt notifications. The campaign specifically targets corporate email accounts, filtering out personal providers, with stolen data exfiltrated to Render-hosted servers and Telegram bots.
Indicators of Compromise
- domain: fifahr-careers.com
- domain: adidas-hiring.com
Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials
Description
A sophisticated multi-stage phishing operation has been active since April 2025, systematically exploiting legitimate SaaS platforms and cloud services to steal corporate credentials. The campaign utilizes 232 phishing domains and 80 command-and-control servers, primarily impersonating human resources consulting firms, with Robert Half Inc. and Aquent LLC representing 50% of targeted brands. Attackers leverage legitimate platforms like Salesforce, SendGrid, and Zoho for email delivery, directing victims to fake Calendly interview pages that mimic real recruiter identities. The operation deploys an adversary-in-the-middle toolkit using browser-in-the-box techniques to create replica Google sign-in pages, capable of harvesting credentials and bypassing MFA through email, SMS, Google Authenticator, and prompt notifications. The campaign specifically targets corporate email accounts, filtering out personal providers, with stolen data exfiltrated to Render-hosted servers and Telegram bots.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.intel471.com/blog/operation-fake-kickoff-attackers-abuse-recruiters-and-saas-to-harvest-work-credentials"]
- Adversary
- O-UNC-038
- Pulse Id
- 6a57f26f4f7b83bede7d73d8
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainfifahr-careers.com | — | |
domainadidas-hiring.com | — |
Threat ID: 6a5803ac68715ace4390f60e
Added to database: 07/15/2026, 22:03:24 UTC
Last updated: 07/15/2026, 22:03:24 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.