What seems to be a job opportunity can turn into a credential theft scam.
Cybercriminals weaponize the names of over 30 brands to carry out a sophisticated phishing operation. Brands like Netflix, Coca-Cola, OpenAI, and FIFA are used to lure marketing professionals into fake recruitment workflows that ultimately steal Google account credentials.
According to BleepingComputer, the campaign routes victims through legitimate HR and marketing platforms before presenting a convincing fake Google sign-in window. By layering trusted platforms into the attack chain, the operation removes many of the phishing signs people have been taught to spot.
The campaign reflects a broader shift in phishing tactics, in which attackers increasingly exploit familiar business workflows and target high-value individuals rather than exploit software vulnerabilities. That increases the impact a single compromised account can have on businesses.
A more sophisticated deceptive tactics
Team Cymru senior advisor Will Thomas estimated that the campaign has been running for at least five months. He also noted that the operators initially used Outlook for their campaign. What makes the campaign stand out is the use of multiple tactics, implemented at each stage to feed into the next, building the pathway for a successful attack.
Abuse of trusted services and platforms
The attackers abused trusted platforms at two stages of the operation. First, they sent fake job outreach messages impersonating 34 brands across industries including airlines, food and beverage, apparel and luxury, staffing and consulting, hospitality, marketing, entertainment, and sports.
This gets more technical for the second stage. Instead of directing victims straight to a phishing site, the attackers routed them through legitimate HR and marketing platforms, including PeopleForce and Salesforce Marketing Cloud, before displaying a fake Google sign-in page to harvest Gmail credentials.

Impersonation attacks
The operators also impersonated well-known recruiters. The logic is simple: if an outreach comes from a respected recruiter, targets are more likely to hop on it, leaving little room for counterthoughts.

Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Why marketers?
Thomas also identified marketing professionals as the primary targets. Since marketers routinely receive emails from people outside their existing contact lists, it makes unsolicited recruitment messages less unusual. That familiarity increases the chances that recipients will open phishing emails and engage with them.
Marketers often have access to valuable business-related data and a compromised Google account could provide attackers with a foothold into those resources.
How to know what’s fake?
The campaign shows that recognizable branding alone is no longer enough to establish trust. Job seekers and employees should verify unexpected interview invitations through official careers pages or known recruiter contacts rather than relying on links in emails.
Individuals should use multi-factor authentication (MFA) for Google Workspace and other business-related accounts to reduce the impact of stolen credentials. Although MFA cannot stop every phishing technique, it provides an additional barrier that can prevent a stolen password from leading directly to account compromise.
Brands should also monitor for domain impersonation through threat intelligence. Detecting newly registered domains that closely resemble official company names can help security teams quickly identify phishing infrastructure early and work with registrars or hosting providers to suspend malicious domains before they reach more victims.
With phishing scams stepping up their game, users should adopt good cybersecurity practices and treat unexpected emails and login requests with caution.