Phishing Campaign Targets Marketing Professionals with Fake Job Offers from Major Brands
A sophisticated phishing campaign is impersonating over 30 high-profile brands including Adobe, Netflix, Coca-Cola, and OpenAI to steal Google account credentials from marketing professionals under the guise of fake job interviews. The operation leverages legitimate cloud-based platforms, including PeopleForce (an HR service) and Salesforce Marketing Cloud, to lend credibility to its attacks before redirecting victims to malicious landing pages.
The threat actor enhances trust by using real recruiters’ names and photos from the impersonated companies. Researcher Will Thomas of Team Cymru identified at least 34 domains mimicking brands across multiple sectors, such as airlines (American Airlines, Delta), food and beverage (Coca-Cola, PepsiCo), tech (Adobe, OpenAI), and entertainment (Netflix, FIFA).
The campaign employs nested redirects, routing victims through multiple legitimate services before reaching the phishing page. For example, links in phishing emails initially resolve to exct[.]net (a Salesforce-operated domain) before redirecting to Wise Agent, a real estate CRM, and finally to the fraudulent site. The operation has been active for at least five months, initially using Outlook email addresses branded with the impersonated companies’ names.
One phishing email, posing as an Adidas recruiter, invited recipients to schedule a meeting via a link that led to adidas-hiring[.]com. Victims were prompted to sign in with their Google accounts, triggering a fake Google authentication popup a browser-in-the-browser (BitB) technique that mimics a legitimate login window using HTML and CSS.
While the exact method of access to the legitimate platforms remains unclear, the abuse does not indicate a compromise of PeopleForce or Salesforce. The attacker may have created genuine accounts or used stolen credentials to configure the redirect chain. A full list of the malicious domains is available in Thomas’ GitHub analysis.
PepsiCo cybersecurity rating report: https://www.rankiteo.com/company/pepsico
Delta Air Lines cybersecurity rating report: https://www.rankiteo.com/company/delta-air-lines
Adobe cybersecurity rating report: https://www.rankiteo.com/company/adobe
FIFA cybersecurity rating report: https://www.rankiteo.com/company/fifa
The Coca-Cola Company cybersecurity rating report: https://www.rankiteo.com/company/the-coca-cola-company
adidas cybersecurity rating report: https://www.rankiteo.com/company/adidas
Netflix cybersecurity rating report: https://www.rankiteo.com/company/netflix
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
"id": "PEPDELADOFIFTHEADINETOPE1783376814",
"linkid": "pepsico, delta-air-lines, adobe, fifa, the-coca-cola-company, adidas, netflix, openai",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
'name': 'Adobe',
'type': 'Corporation'},
{'industry': 'Entertainment',
'name': 'Netflix',
'type': 'Corporation'},
{'industry': 'Food and Beverage',
'name': 'Coca-Cola',
'type': 'Corporation'},
{'industry': 'Technology',
'name': 'OpenAI',
'type': 'Corporation'},
{'industry': 'Airlines',
'name': 'American Airlines',
'type': 'Corporation'},
{'industry': 'Airlines',
'name': 'Delta',
'type': 'Corporation'},
{'industry': 'Food and Beverage',
'name': 'PepsiCo',
'type': 'Corporation'},
{'industry': 'Sports',
'name': 'FIFA',
'type': 'Organization'},
{'industry': 'Marketing',
'name': 'Marketing Professionals',
'type': 'Individuals'}],
'attack_vector': 'Email, Malicious Redirects, Browser-in-the-Browser (BitB) '
'Technique',
'data_breach': {'personally_identifiable_information': 'Potentially (if '
'credentials include '
'PII)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Google account credentials'},
'description': 'A sophisticated phishing campaign is impersonating over 30 '
'high-profile brands including Adobe, Netflix, Coca-Cola, and '
'OpenAI to steal Google account credentials from marketing '
'professionals under the guise of fake job interviews. The '
'operation leverages legitimate cloud-based platforms, '
'including PeopleForce and Salesforce Marketing Cloud, to lend '
'credibility to its attacks before redirecting victims to '
'malicious landing pages. The threat actor enhances trust by '
'using real recruiters’ names and photos from the impersonated '
'companies.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'impersonated brands',
'data_compromised': 'Google account credentials',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Phishing emails',
'high_value_targets': 'Marketing professionals'},
'investigation_status': 'Ongoing',
'motivation': 'Credential Theft',
'post_incident_analysis': {'root_causes': 'Abuse of legitimate cloud '
'platforms (PeopleForce, Salesforce '
'Marketing Cloud) for phishing '
"redirects; use of real recruiters' "
'identities to enhance credibility'},
'references': [{'source': 'Will Thomas (Team Cymru)',
'url': 'https://github.com/WillThomas/Phishing-Analysis'}],
'title': 'Phishing Campaign Targets Marketing Professionals with Fake Job '
'Offers from Major Brands',
'type': 'Phishing'}