A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals.
The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page.
To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies.

Will Thomas, senior advisor at cybersecurity intelligence and threat hunting company Team Cymru, analyzed the campaign and discovered that the phishing email pretends to be from “a recruiter looking to hire people for marketing roles.”
The researcher uncovered that the threat actor is using at least 34 domains impersonating high-value companies in the following sectors:
- Airlines and travel: American Airlines, Booking.com, Delta Air Lines, United Airlines
- Food and beverage: Coca-Cola, PepsiCo, Red Bull
- Apparel and luxury goods: Adidas, Louis Vuitton, Sephora, Levis
- Staffing, consulting, and tech: Adobe, Aquent, ManpowerGroup, McKinsey & Company, OpenAI
- Hospitality and marketing: Marriott, Omnicom Group
- Entertainment and sports: FIFA, Netflix
Thomas found that the campaign relies on nested redirects, a technique that routes visitors through multiple legitimate services before reaching the malicious landing page.
The researcher noted that while the phishing emails appear to originate from PeopleForce, the underlying links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of the ExactTarget marketing automation platform, now rebranded as Salesforce Marketing Cloud.
ExactTarget redirects to the Wise Agent (wiseagent[.]com) cloud-based real estate Customer Relationship Management (CRM) software for agents, teams, and brokers, which forwards to the phishing landing page.
BleepingComputer has found that the operation has been running for at least five months and initially used Outlook email addresses with the name of the impersonated company.
One phishing email, posing as a message from Adidas recruiter Paulina Manzo, asked the recipient to schedule a conversation about a potential role at the company.

source: Sergiu George
When clicking on the link to the calendar, the recipient was redirected to the threat actor’s landing page adidas-hiring[.]com
To continue the process for scheduling a meeting with the recruiter, the potential victim is asked to sign into their Google account.

source: BleepingComputer
Clicking on the “Continue with Google” button triggers a fake Google sign-in popup rendered inside the phishing page to impersonate Google authentication.
Although the pop-up may appear as a legitimate browser window, it is just HTML and CSS code rendered inside the phishing page, a technique known as browser-in-the-browser (BitB).
By using modern web development tools, the attacker can imitate all the elements of a legitimate authentication pop-up page.

source: BleepingComputer
While it is unclear how the threat actor gained access to the legitimate platforms, abusing them does not imply a compromise of the services.
One possible avenue is creating a genuine account specifically for the campaign, or using compromised logins, which allows configuring the redirect chain and the landing page.
A list of the domains discovered in this phishing campaign is available in Will Thomas’ analysis on GitHub.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper

