Fake job interviews from 'Adidas', 'Netflix' and 'OpenAI' recruiters are stealing Google logins

A phishing crew is impersonating more than 30 major brands, hiding behind real business software from PeopleForce and Salesforce to trick marketing staff into handing over their Gmail passwords.

ThreatVectr Newsdesk· 3 min read
Full-frame overhead view of a laptop screen showing a blurred generic calendar-booking interface with a small login popup window in the centre, warm office ligh
Share

Key points

  • A phishing operation is impersonating at least 34 major brands, including Adobe, Netflix, Coca-Cola and OpenAI, to steal Google account passwords from marketing professionals.
  • The criminals abuse legitimate cloud services, PeopleForce HR software and a Salesforce Marketing Cloud domain (exct.net), to bounce victims through a chain of trusted links before landing on a fake sign-in page.
  • The campaign has been running for at least five months and uses names and photos of real recruiters at the impersonated companies to look convincing.
  • Victims see a fake Google login popup built with a technique called browser-in-the-browser, which draws a fake browser window inside the phishing page.
  • Team Cymru senior advisor Will Thomas published the list of domains and analysis on GitHub.

The pitch is flattering. A recruiter at a brand you know wants to talk to you about a marketing job. The email looks like it came from a real HR system. The calendar link looks real too.

It is all bait.

Security researcher Will Thomas of Team Cymru has tracked a phishing campaign, first reported by BleepingComputer, that impersonates recruiters at more than 30 big-name companies to steal Google account credentials. Phishing is when criminals send fake messages designed to trick people into typing their password into a site the criminals control.

The targets are marketing professionals. The lure is a job interview.

How does the scam actually work?

The criminals send an email that pretends to come from PeopleForce, a real cloud-based HR platform that companies genuinely use to manage hiring. Because the sending infrastructure is legitimate, the message sails past many spam filters.

Click the calendar link and you get bounced through a chain of trusted services. First to exct.net, a domain owned by Salesforce and used by its Marketing Cloud product (formerly ExactTarget). From there to wiseagent.com, a real estate customer database tool. Only then do you land on the attacker's page, something like adidas-hiring.com.

That page looks like a meeting-scheduling site. To book the interview, it asks you to sign in with Google.

Here is the clever part. The Google sign-in window that pops up is not a real browser window. It is a fake one drawn inside the phishing page using ordinary web code (HTML and CSS). Researchers call this trick browser-in-the-browser. Type your password in and it goes straight to the criminals.

Which brands are being impersonated?

Thomas identified at least 34 lookalike domains covering airlines and travel (American Airlines, Booking.com, Delta, United), food and drink (Coca-Cola, PepsiCo, Red Bull), fashion and luxury (Adidas, Louis Vuitton, Sephora, Levis), consulting and tech (Adobe, Aquent, ManpowerGroup, McKinsey, OpenAI), hospitality and marketing (Marriott, Omnicom), and entertainment and sport (FIFA, Netflix).

One sample email seen by researchers came from a fake Adidas recruiter named Paulina Manzo, a real person whose name and photo the criminals borrowed to look authentic.

What should you do if you got one of these emails?

If you clicked and typed your Google password anywhere in the last five months, change it now and turn on two-factor authentication, which requires a second code from your phone to log in.

Check your Google account's recent activity page. Look for logins from places you have never been.

Going forward, treat unsolicited recruiter emails with the same suspicion you would treat a message from your bank. Real recruiters do not need your Gmail password to book a meeting. If a scheduling page asks you to sign in with Google before it will show you a calendar, close the tab.

It is not yet clear how the criminals got access to the legitimate PeopleForce and Salesforce services. They may have signed up as ordinary paying customers, or used stolen logins from a previous breach. Neither company's platform has been broken into. The abuse works because the services are trusted, and trust is exactly what a phishing crew needs to borrow.

© 2026 Threat Vectr