What happened
A new phishing campaign is targeting marketing professionals by impersonating recruiters from well-known global brands, including Coca-Cola, Louis Vuitton, McKinsey & Company, Netflix, OpenAI, and FIFA. The campaign was first identified by Will Thomas, Senior Threat Intelligence Adviser at Team Cymru, who found that attackers were sending personalized recruitment emails to individuals working in relevant roles.
The emails appear legitimate and are delivered through trusted business platforms such as PeopleForce, a cloud-based HR platform. Victims are invited to schedule a job interview by clicking a link that appears authentic but ultimately leads to a phishing website designed to steal Google account credentials.
The campaign relies on nested redirects, where users are silently routed through multiple legitimate services, including Salesforce-owned ExactTarget, Wise Agent, and Netlify, before reaching the attacker-controlled website. This approach makes malicious links more difficult for traditional email and web security tools to detect.
Once users reach the final page, they are presented with a fake Google login window using the browser-in-the-browser (BitB) technique, which closely mimics a legitimate browser sign-in prompt.
Who is affected
The campaign primarily targets marketing professionals and job seekers, particularly those who may be actively looking for new career opportunities. Because the phishing emails are personalized and reference recognizable brands, recipients are more likely to trust the messages.
Organizations are also at risk if employees reuse corporate Google accounts or if compromised credentials provide access to cloud applications, shared documents, or collaboration platforms.
According to Pieter Arntz, Malware Intelligence Researcher at Malwarebytes, job recruitment scams remain effective because competitive hiring markets and increasingly convincing AI-generated content make phishing attempts more believable.
Why CISOs should care
This campaign highlights how attackers continue to blend social engineering with trusted cloud services to evade traditional security controls. By routing victims through legitimate platforms, phishing emails can bypass reputation-based filtering that only evaluates the initial destination.
The use of personalized recruitment messages and realistic browser-in-the-browser login pages further increases the likelihood of credential theft. As attackers continue abusing trusted business services, organizations need defenses that inspect the full redirect chain rather than relying solely on domain reputation.
3 practical actions
- Deploy web security solutions capable of inspecting nested redirects and blocking malicious destinations throughout the entire redirect chain.
- Require phishing-resistant multi-factor authentication and encourage password managers, which help prevent credentials from being entered into fraudulent websites.
- Regularly train employees to verify recruitment emails independently, especially those claiming to represent well-known brands or requesting account sign-ins.

