Phishing poses as big-brand job interview to steal Google accounts
A phishing campaign impersonates over 30 well-known brands in fake job interview scenarios targeting marketing professionals to steal Google account credentials. The attackers abuse legitimate cloud-based platforms and use nested redirects through trusted services to reach malicious landing pages. They employ realistic tactics such as using real recruiter names and photos and a browser-in-the-browser technique to mimic Google sign-in pop-ups. The campaign has been active for at least five months and leverages domains associated with Salesforce Marketing Cloud and other cloud services to increase credibility.
AI Analysis
Technical Summary
This phishing campaign targets marketing professionals by impersonating recruiters from more than 30 major brands, including Adobe, Netflix, Coca-Cola, and OpenAI. It abuses legitimate cloud-based platforms like PeopleForce and Salesforce Marketing Cloud to create nested redirects that lead victims to malicious landing pages. The attackers use real recruiter identities and a browser-in-the-browser (BitB) technique to present fake Google sign-in pop-ups, tricking victims into submitting their Google credentials. The operation has been ongoing for at least five months and involves multiple sectors such as airlines, food and beverage, apparel, staffing, hospitality, and entertainment. The campaign does not indicate a compromise of the legitimate platforms but likely uses genuine or compromised accounts to configure redirects.
Potential Impact
Successful phishing leads to theft of Google account credentials from targeted marketing professionals, potentially compromising their Google accounts. This can result in unauthorized access to email, personal data, and other Google services tied to the stolen credentials. The use of trusted cloud services and realistic impersonation increases the likelihood of victim success.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Organizations should educate employees, especially marketing professionals, about this specific phishing tactic involving fake job interviews and the browser-in-the-browser technique. Users should verify URLs carefully and avoid entering credentials on suspicious pages. Since the campaign abuses legitimate cloud services, monitoring for unusual redirect chains and suspicious login attempts is recommended. Vendor-managed remediation does not apply as this is a social engineering attack.
Phishing poses as big-brand job interview to steal Google accounts
Description
A phishing campaign impersonates over 30 well-known brands in fake job interview scenarios targeting marketing professionals to steal Google account credentials. The attackers abuse legitimate cloud-based platforms and use nested redirects through trusted services to reach malicious landing pages. They employ realistic tactics such as using real recruiter names and photos and a browser-in-the-browser technique to mimic Google sign-in pop-ups. The campaign has been active for at least five months and leverages domains associated with Salesforce Marketing Cloud and other cloud services to increase credibility.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This phishing campaign targets marketing professionals by impersonating recruiters from more than 30 major brands, including Adobe, Netflix, Coca-Cola, and OpenAI. It abuses legitimate cloud-based platforms like PeopleForce and Salesforce Marketing Cloud to create nested redirects that lead victims to malicious landing pages. The attackers use real recruiter identities and a browser-in-the-browser (BitB) technique to present fake Google sign-in pop-ups, tricking victims into submitting their Google credentials. The operation has been ongoing for at least five months and involves multiple sectors such as airlines, food and beverage, apparel, staffing, hospitality, and entertainment. The campaign does not indicate a compromise of the legitimate platforms but likely uses genuine or compromised accounts to configure redirects.
Potential Impact
Successful phishing leads to theft of Google account credentials from targeted marketing professionals, potentially compromising their Google accounts. This can result in unauthorized access to email, personal data, and other Google services tied to the stolen credentials. The use of trusted cloud services and realistic impersonation increases the likelihood of victim success.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Organizations should educate employees, especially marketing professionals, about this specific phishing tactic involving fake job interviews and the browser-in-the-browser technique. Users should verify URLs carefully and avoid entering credentials on suspicious pages. Since the campaign abuses legitimate cloud services, monitoring for unusual redirect chains and suspicious login attempts is recommended. Vendor-managed remediation does not apply as this is a social engineering attack.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/","fetched":true,"fetchedAt":"2026-07-06T20:36:31.797Z","wordCount":860}
Threat ID: 6a4c11d027e9c797192ecdc7
Added to database: 07/06/2026, 20:36:32 UTC
Last enriched: 07/06/2026, 20:36:39 UTC
Last updated: 07/07/2026, 00:24:12 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.