Full Report
A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals. The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a…
Analysis Summary
Based on the article provided and the associated security research regarding this campaign, here is a summary of the techniques used.
# Technique: Brand Impersonation Credential Phishing
## Overview
This is a sophisticated credential phishing campaign targeting marketing professionals via fake recruitment processes. It exploits the trust of reputable brands and abuses legitimate SaaS infrastructure (PeopleForce and Salesforce) to bypass email security filters and deceive victims into providing Google account credentials.
## Technical Details
- **Type:** Phishing / Social Engineering
- **Platform:** Web / Google Workspace
- **Capabilities:** Credential harvesting, multi-stage redirection, subversion of legitimate business platforms (Living off Trusted Services).
- **First Seen:** Reported July 2024 (Note: Article date indicates 2026, likely referring to recent or projected campaign activity).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0007 - Discovery]**
- [T1589.002 - Gather Victim Identity Information: Email Addresses]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle] (Technique utilized on the landing page)
- **[TA0005 - Defense Evasion]**
- [T1564.010 - Hide Artifacts: Use of Legitimate Cloud Services]
## Functionality
### Core Capabilities
- **Infrastructure Abuse:** Uses legitimate PeopleForce HR platform invitations to send emails that appear authentic and bypass SPF/DKIM/DMARC checks.
- **Trusted Relay:** Employs Salesforce Marketing Cloud domains for link redirection to mask the final destination of the malicious URL.
- **Targeted Social Engineering:** Specifically targets marketing professionals with roles tailored to their expertise.
### Advanced Features
- **Identity Theft:** Uses the names and professional photos of actual recruiters from companies like Adobe, Netflix, and OpenAI to increase the appearance of legitimacy.
- **Brand Saturation:** Simultaneously impersonates over 30 global brands to cast a wide net while maintaining high-quality lures.
## Indicators of Compromise
*Note: Indicators are based on general campaign reports and are defanged for safety.*
- **File Names:** N/A (Web-based campaign)
- **Network Indicators:**
- `peopleforce[.]io` (Abused legitimate platform)
- `click[.]email[.]salesforce[.]com` (Abused legitimate redirector)
- `job-interview-portal[.]com` (Example of a defanged phishing domain)
- **Behavioral Indicators:** Unexpected interview invitations from PeopleForce platforms for roles the user did not apply for; redirects through multiple marketing cloud domains before arriving at a Google login prompt.
## Associated Threat Actors
- **Unknown:** Currently attributed to financially motivated threat actors specializing in account takeover (ATO) and corporate espionage targeting marketing data.
## Detection Methods
- **Behavioral Detection:** Monitoring for high-volume redirects from legitimate Salesforce/PeopleForce domains to unauthorized third-party domains.
- **Log Analysis:** Checking for Google account logins following a click-through from HR management software that was not initiated by the recruitment department.
- **Email Security:** Implementing advanced threat protection (ATP) that can "unroll" URL redirects to inspect the final landing page content.
## Mitigation Strategies
- **Multi-Factor Authentication (MFA):** Implementation of hardware-based MFA (e.g., FIDO2 keys) which is resistant to credential phishing.
- **Security Awareness Training:** Educating employees to verify interview requests through official company portals rather than clicking links in unexpected automated emails.
- **Domain Monitoring:** Using brand protection services to identify and take down domains impersonating company recruitment portals.
## Related Tools/Techniques
- **Living off Trusted Services (LoTS):** A broader strategy where attackers use popular SaaS (Google Drive, Dropbox, Salesforce) to host or relay malicious content.
- **BEC (Business Email Compromise):** Often the follow-up step once marketing credentials have been successfully stolen.