https://gist.github.com/BushidoUK/57c38d5ee75481fb237e968a537de778
A highly targeted phishing campaign has been uncovered in which attackers are posing as recruiters from some of the world’s most recognisable brands to harvest victims’ Gmail credentials. The operation is notable for its level of personalisation, targets are addressed by name and appear to be selected based on their professional field, suggesting the attackers conducted prior reconnaissance before making contact. Victims receive emails purportedly offering marketing role interviews, and are directed to click a link to book a meeting, at which point they are prompted to hand over their Gmail login details via a convincing Browser-in-the-Browser pop-up that mimics a legitimate Google sign-in page.
What makes this campaign particularly sophisticated is its use of nested redirects across multiple legitimate platforms to evade detection. The initial phishing email is sent through PeopleForce, a genuine cloud-based HR and applicant tracking platform, lending the communication an air of authenticity. From there, the link chains through Salesforce Marketing Cloud’s ExactTarget service, then to Wise Agent, before ultimately landing the victim on a Netlify-hosted phishing site. The breadth of impersonated organisations is alarming, spanning industries including airlines such as American Airlines, Delta, and United; food and beverage giants Coca-Cola, PepsiCo, and Red Bull; luxury brands Louis Vuitton and Adidas; and tech and consulting firms including OpenAI, McKinsey & Company, and Adobe, among many others.
Security researchers have published a list of indicators of compromise associated with the campaign, comprising dozens of fraudulent domains designed to closely mimic legitimate career and hiring portals for the targeted organisations. Individuals working in marketing or related fields are urged to exercise extreme caution when receiving unsolicited recruitment emails, particularly those requesting Google account credentials at any stage of the process. Organisations whose brands are being impersonated should consider alerting their candidate communities and monitoring for fraudulent domains operating under their names.