Fake Job Interview Phishing Steals Google Accounts From Marketing Professionals
What happened
A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, Marriott, FIFA, and McKinsey, to steal Google account credentials from marketing professionals. The emails pose as recruiter outreach for marketing roles and use the names and photos of real recruiters from the impersonated companies to make the fake job opportunity appear legitimate.
The campaign abuses legitimate cloud and marketing platforms as part of its redirect chain. The phishing emails appear to come from the PeopleForce human resources platform, while the underlying links route through a Salesforce Marketing Cloud-associated domain, then through Wise Agent, before finally landing victims on a fake hiring page. BleepingComputer found that the operation has been running for at least five months and initially used Outlook addresses named after the impersonated companies.
In one observed example, a phishing email posing as an Adidas recruiter asked the recipient to schedule a conversation about a potential role. Clicking the calendar link redirected the victim to adidas-hiring.com, where they were asked to sign in with Google to continue scheduling the meeting. The “Continue with Google” button opened a fake Google sign-in pop-up rendered inside the phishing page using browser-in-the-browser techniques, allowing the attacker to imitate a legitimate authentication window and capture credentials.
The campaign has used at least 34 domains impersonating companies across airlines and travel, food and beverage, apparel and luxury goods, staffing, consulting, technology, hospitality, marketing, entertainment, and sports. While the campaign abuses legitimate services in the redirect chain, that does not necessarily mean those services were compromised; the attackers may have created accounts for the campaign or used compromised logins to configure redirects.
Who is affected
Marketing professionals are the primary targets, especially those likely to respond to recruiter outreach from major brands or agencies.
Organizations are also affected if employees use Google accounts for work email, documents, analytics, advertising, cloud services, or shared business systems. A stolen Google account can expose internal files, email conversations, calendars, contacts, and other connected services.
Companies whose brands, domains, or recruiter identities are impersonated may also face reputational risk, even if their own systems were not compromised.
Why CISOs should care
This campaign shows how phishing actors are moving beyond crude login pages and using realistic recruiting workflows, trusted cloud services, and legitimate-looking redirect chains to make credential theft harder to spot.
For CISOs, the browser-in-the-browser technique is especially important. Users may believe they are interacting with a real Google authentication pop-up, but the window is actually HTML and CSS rendered inside the attacker-controlled page.
The use of real recruiter identities also increases trust. Employees may check LinkedIn, see that the recruiter exists, and assume the outreach is legitimate, even though the message and scheduling flow are controlled by the attacker.
The Google account focus matters because a single account can provide access to email, cloud files, calendars, contacts, advertising tools, and third-party services tied to Google sign-in.
3 practical actions
Train users on fake recruiting workflows: Employees should be warned that recruiter outreach from major brands can be impersonated, especially when messages ask them to sign in through a scheduling page or continue with Google.
Teach browser-in-the-browser red flags: Security awareness should show users how fake login pop-ups can be rendered inside a phishing page. Users should be encouraged to open authentication pages directly in a new browser tab rather than trusting embedded or unexpected sign-in windows.
Harden Google account security: CISOs should enforce phishing-resistant MFA where possible, monitor suspicious Google sign-ins, review OAuth app access, and alert on unusual activity after users interact with job interview or scheduling lures.
More cybersecurity news:


