Lily
Anne

Fake Brand Interviews Use Browser-in-the-Browser Phishing to Steal Google Credentials

Lily Anne

Jul 9, 2026

5 min read

Fake Brand Interviews Use Browser-in-the-Browser Phishing to Steal Google Credentials

TL;DR

Fake recruiter phishing campaigns now impersonate major brands to steal Google credentials from job seekers. Attackers route victims through legitimate platforms, then display browser-in-the-browser Google sign-in popups on fake interview pages. Enterprises should combine phishing-resistant MFA, device compliance, conditional access, and endpoint monitoring to reduce account takeover risk quickly.

A new Google account phishing campaign is using fake big-brand job interview lures to steal credentials from marketing professionals. BleepingComputer reported that the campaign impersonates more than 30 brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, McKinsey & Company, Marriott, and FIFA.

The attack starts with recruiter-themed emails that use real recruiter names and images to build trust. Victims are then routed through legitimate services, including PeopleForce and a domain linked to Salesforce Marketing Cloud infrastructure, before landing on an attacker-controlled phishing page.

How the campaign works

The attack does not rely on a crude fake login page alone. It begins with recruiter phishing, where the promise of a job interview lowers suspicion and gives the victim a reason to click.

Here’s how the flow works:

  • The victim receives a recruiter-themed email impersonating a well-known brand.
  • The message uses a job interview lure to make the interaction feel legitimate.
  • The link takes the victim through a fake scheduling workflow.
  • The page asks the victim to continue with Google to proceed with the meeting request.

Instead of opening a real Google authentication window, the site displays a fake sign-in popup inside the phishing page.

This is where browser-in-the-browser phishing enters the chain. The fake Google sign-in window can mimic the look of a real browser popup, but it is actually built with HTML and CSS inside the attacker-controlled page. BleepingComputer identified this as a browser-in-the-browser, or BitB, technique.

This tactic is effective because it challenges common phishing awareness habits. Many users have been trained to look for obvious warning signs such as:

  • Suspicious domains
  • Broken branding
  • Poor formatting
  • Unusual login pages
  • Spelling or design errors

BitB phishing makes those checks less reliable. The fake popup can look like an OAuth-style sign-in prompt, complete with familiar visual cues. If the surrounding job interview workflow feels legitimate, the user may focus on the apparent Google sign-in window instead of checking whether a real browser-level authentication window has opened.

The redirect chain adds another layer of credibility. When the link appears to pass through legitimate HR, marketing, or CRM services, users may assume the process is safe. This makes simple advice such as “check the URL” harder to apply, especially when the visible journey includes platforms employees already recognize or trust.

Why Google account phishing raises enterprise risk

A stolen Google account can be far more valuable than a single mailbox. Google Workspace includes business email, Drive cloud storage, Docs, Calendar, Meet, and other collaboration tools, meaning one compromised account may expose communications, shared documents, schedules, and connected workflows.

For enterprises, the risk expands further when Google accounts connect to SaaS tools, analytics platforms, advertising environments, developer resources, or identity workflows. A successful Google account phishing attack can therefore become the opening move for account takeover, data theft, internal reconnaissance, lateral movement, or business email compromise.

The campaign also shows why employee role context matters. Marketing teams often communicate with external agencies, vendors, recruiters, event partners, and platform providers. They may receive more legitimate third-party links than many other departments. Attackers can exploit that normal business pattern by placing phishing activity inside workflows that do not feel unusual.

Why Hexnode UEM
Featured Resource

Why Hexnode UEM

Discover how Hexnode UEM simplifies endpoint management, strengthens security, and drives business success.

Download the brochure

Where Hexnode fits in the defense strategy

Stopping Google account phishing takes more than user awareness. Enterprises need layered controls that reduce the impact of stolen credentials and detect suspicious activity early.

Hexnode helps strengthen this defense in three key ways:

  • Device compliance: Hexnode UEM lets admins define compliance criteria and mark devices non-compliant if they are not encrypted, do not meet password requirements, are missing required apps, or are identified as jailbroken.
  • Conditional access: With Microsoft Entra Conditional Access integration, Hexnode can report device compliance status so access to organizational resources can be granted or blocked based on compliant-device requirements for supported Android, iOS, and macOS 11+ devices.
  • Google Workspace integration: Hexnode can sync Google Workspace user and group inventory and simplify enrollment and user management operations for Windows, Android, macOS, and iOS devices.
  • Endpoint investigation: Hexnode XDR helps security teams analyze endpoint telemetry, detect suspicious patterns, and investigate post-compromise activity.

This matters because stolen credentials should not automatically grant full access. When Conditional Access is configured to require a compliant device, Microsoft Entra ID can use compliance status reported from Hexnode to help grant or block access.

Conclusion

This fake interview campaign shows how modern phishing now blends trusted brands, real recruiter identities, legitimate redirects, and polished scheduling pages. It also uses browser-in-the-browser phishing to make credential theft feel like a routine business interaction.

Enterprises should respond with layered defenses such as phishing-resistant MFA, conditional access, device compliance checks, endpoint telemetry, and user verification habits.

The key lesson is clear: Google account phishing is not just an email-security issue. It is an identity, endpoint, and access-control problem. Strong defenses should limit what attackers can do even when credentials are exposed.

FAQs

Browser-in-the-browser phishing is a tactic where attackers create a fake login popup inside a malicious webpage. The window can look like a legitimate Google sign-in prompt, but it is only an HTML and CSS imitation designed to capture credentials.

Enterprises can reduce Google account phishing risk by using phishing-resistant MFA, conditional access, device compliance checks, endpoint monitoring, and user awareness training. These controls help block access from unmanaged devices and detect suspicious activity after credentials are exposed.

Share

Lily Anne

Content writer at Hexnode. Fueled by good coffee and the occasional cat cuddle, I enjoy crafting content that informs, connects, and resonates. Nothing excites me more than knowing my words have been read, appreciated, and maybe even bookmarked.