TempMail Ninja
//

Sophisticated Phishing Campaign Targets Marketers via Fake Job Offers

7 min read
TempMail Ninja
Sophisticated Phishing Campaign Targets Marketers via Fake Job Offers

Inside the High-Sophistication Phishing Campaign Impersonating Elite Brands to Steal Marketers’ Google Credentials

In an era where digital credentials serve as the primary keys to corporate networks, threat actors have deployed a highly sophisticated phishing campaign targeting marketing professionals across various high-value industries. First uncovered and analyzed by Will Thomas, senior threat intelligence adviser at Team Cymru, this active operation blends meticulously tailored social engineering, abuse of trusted enterprise platforms, and nested redirect evasion techniques. By impersonating more than 30 world-renowned brands, the attackers bypass security defenses to harvest Google account credentials and session tokens.

Unlike broad, automated spam campaigns that spray generic lures across millions of inboxes, this highly targeted campaign is characterized by surgical precision. By leveraging high-quality open-source intelligence (OSINT) and abusing legitimate enterprise Software-as-a-Service (SaaS) infrastructure, the threat actors have designed an attack chain where every phase—from the initial inbox delivery to the final credential capture—is optimized to bypass both human suspicion and automated security algorithms.

Anatomy of the Phishing Campaign: Why Traditional Defenses Fail

The campaign specifically targets marketing professionals, a cohort of employees who naturally interact with external vendors, agencies, and recruiting platforms daily. This frequent external communication makes them highly susceptible to career-themed lures. To maximize their success rates, the threat actors execute a thorough reconnaissance phase. They actively scrape public professional profiles on platforms such as LinkedIn to gather granular intelligence about their targets, allowing them to personalize every outbound communication.

These highly personalized emails address victims by their actual names and present job descriptions tailored specifically to their current marketing expertise and experience level. To further dismantle the victim’s skepticism, the attackers use the stolen identities of legitimate human resources and recruitment professionals working at the impersonated companies. This identity theft extends to copying the actual profile pictures, names, and job titles of real HR employees, establishing a high-fidelity visual alignment if the victim attempts to cross-reference the sender on LinkedIn.

According to threat intelligence reports, the threat actors have registered at least 34 fake domains mimicking high-value organizations across multiple sectors. The targeted brands represent some of the most recognizable entities globally, organized into the following categories:

  • Airlines and Travel: American Airlines, Delta Air Lines, United Airlines, and Booking.com.
  • Food and Beverage: Coca-Cola, PepsiCo, and Red Bull.
  • Apparel and Luxury Goods: Adidas, Louis Vuitton, Sephora, and Levi’s.
  • Staffing, Consulting, and Tech: Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI.
  • Hospitality and Marketing: Marriott and Omnicom Group.
  • Entertainment and Sports: FIFA and Netflix.

Exploiting SaaS Trust: Bypassing SEGs via PeopleForce Abuse

A major challenge for modern email-borne attacks is passing the strict filtering mechanisms implemented by Secure Email Gateways (SEGs). Traditional security systems analyze incoming mail for domain age, SPF/DKIM/DMARC alignment, and sender IP reputation. To completely bypass these technical barriers, the orchestrators of this campaign avoid using newly registered domains to send their malicious invitations.

Instead, they abuse PeopleForce (peopleforce.io), a legitimate, cloud-based Human Resource Management (HRM) and applicant tracking platform. By utilizing a genuine, high-reputation enterprise HR application, the threat actors ensure that the outbound phishing invitations originate from legitimate servers with pristine IP reputations. Because the platform is trusted globally, emails sent through its system naturally align with SPF and DKIM policies. Consequently, SEGs evaluate the incoming email as legitimate business traffic. The message is successfully delivered to the target’s primary inbox rather than being quarantined or flagged as junk.

The Technical Anatomy of the Nested Redirect Chain

Even if an email bypasses initial spam filters, many advanced email security tools execute real-time URL sandboxing and analysis at the time of click. To neutralize this threat, the attackers employ a sophisticated technique known as nested redirects. This mechanism obscures the final destination by routing the victim’s web browser through multiple legitimate, trusted services before resolving at the malicious landing page.

When a targeted individual clicks the “view calendar & schedule call” button in the phishing email to book their interview, the redirection sequence executes through several hops:

  1. The Origin (PeopleForce): The link originates from the legitimate peopleforce.io domain, which standard security checkers mark as safe.
  2. The First Hop (Salesforce Marketing Cloud): The link immediately routes through Salesforce’s marketing automation platform, utilizing the domain exct[.]net (the legacy ExactTarget service acquired by Salesforce). Because Salesforce is a global enterprise cloud provider, its domains enjoy exceptional web reputation scores.
  3. The Second Hop (Wise Agent): From the Salesforce domain, the victim is automatically redirected to Wise Agent (wiseagent[.]com), a legitimate, cloud-based Customer Relationship Management (CRM) platform widely used by real estate professionals.
  4. The Final Destination (Threat Actor Infrastructure): Finally, the Wise Agent page forwards the traffic to the threat actor’s credential harvesting landing page, which is typically hosted on Netlify or similar hosting providers, using lookalike domains such as mckinsey-careers[.]com or adidas-hiring[.]com.

This multi-tiered redirect chain is highly effective against automated analysis. Security scanners that inspect only the initial URL see a legitimate Salesforce link and allow the traffic to proceed. Furthermore, sandboxing engines that trace the redirect path may time out or fail to analyze the final destination due to the complexity and depth of the redirection sequence. By nesting the redirection within several multi-billion-dollar SaaS ecosystems, the threat actors create a maze that filters and security analysts find difficult to parse in real time.

The Browser-in-the-Browser (BitB) Trap

Once the nested redirect chain completes, the victim lands on a high-fidelity clone of the target company’s careers portal. The page features convincing branding, high-quality graphics, and a functional schedule-booking interface. To select an interview time slot, the victim is prompted to authenticate using their corporate or personal Google account. This step initiates the final, and perhaps most technically brilliant, phase of the attack: a Browser-in-the-Browser (BitB) exploit.

When the user clicks the “Sign in with Google” button, they expect to see a native browser pop-up window executing the standard Google Single Sign-On (SSO) OAuth flow. However, rather than calling a real OS-level window, the phishing site uses HTML, CSS, and JavaScript to paint a completely simulated browser window directly inside the existing webpage. This fake popup features an exact visual replica of the Google account selection and login screens, a spoofed browser address bar showing accounts.google.com, and a simulated SSL padlock icon to falsely assure the victim of a secure connection.

Because the address bar is painted digitally inside the page, traditional user training—which instructs employees to “always verify the URL in the address bar before logging in”—completely fails. The user looks at the faux address bar, sees the correct domain, and assumes they are communicating directly with Google. Once the victim inputs their Google password and provides the multi-factor authentication (MFA) codes generated by their device, the inputs are intercepted by the threat actor’s server. This gives the attackers immediate access to the target’s primary Google account and session tokens, bypassing basic MFA.

Defeating Advanced Phishing Campaigns: Enterprise Defensive Controls

The success of this highly tailored campaign demonstrates that traditional, reactive email security paradigms are no longer sufficient to protect corporate assets. Relying on users to spot visual indicators of fraud or hoping that automated email gateways will catch nested redirects leaves organizations highly vulnerable. To defend against such sophisticated campaigns, enterprise security teams must adopt a multi-layered, proactive defense strategy:

  1. Implement Phishing-Resistant MFA: Traditional multi-factor authentication methods (such as SMS codes, email OTPs, and push notifications) are vulnerable to real-time credential harvesting. Organizations must transition to phishing-resistant authentication protocols, specifically FIDO2/WebAuthn hardware security keys or passkeys. These technologies bind the cryptographic authentication exchange directly to the physical origin domain, rendering harvested credentials useless on attacker-controlled landing pages.
  2. Enhance Email Gateway Inspectability: Security administrators should configure SEGs and cloud email security suites to deep-scan redirect chains. Implementation of policies that block or quarantine emails containing nested redirects passing through third-party CRMs and marketing platforms is highly recommended, particularly when sent to high-risk roles.
  3. Adopt Out-of-Band Verification Protocols: Recruitment-related outreach should always be verified out-of-band. Job candidates should be trained to bypass direct email links and navigate manually to the target company’s official career portal or contact the HR department via verified public channels.
  4. Implement Browser-Level Protections: Modern endpoint protection tools and advanced browser security configurations can block suspicious, unverified iFrames and detect simulated browser-in-the-browser window objects, alerting users to visual rendering anomalies.

By combining robust technical policies with targeted, modern security awareness training, enterprises can significantly reduce the attack surface exploited by these highly sophisticated campaigns.

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.