Phishing Campaign Impersonating Coca‑Cola and Ferrari Harvests Google Workspace Credentials via MFA‑Bypassing Fake Sign‑In Pages
What Happened — Threat actors are running sophisticated phishing operations that masquerade as job‑offer recruiters from Coca‑Cola and Ferrari. Victims are lured to a fake Calendly‑style booking page, then to a counterfeit Google sign‑in window that not only captures passwords but also dynamically serves two‑factor authentication prompts, effectively bypassing MFA.
Why It Matters for TPRM —
- Credential theft from Google Workspace can give attackers lateral movement into a vendor’s cloud environment.
- MFA‑bypass techniques raise the success rate of credential‑based attacks, expanding the attack surface of any third‑party that relies on Google services.
- The use of high‑profile brand impersonation increases the likelihood of successful compromise across multiple industries.
Who Is Affected — Enterprises that use Google Workspace (IAM), recruiting firms, staffing agencies, and any organization whose employees receive unsolicited “job offer” emails.
Recommended Actions —
- Verify all unsolicited recruiter links through out‑of‑band communication.
- Enforce security keys or hardware‑based MFA for Google accounts.
- Deploy anti‑phishing training that includes brand‑impersonation scenarios.
- Monitor for anomalous sign‑in activity from unknown IP ranges.
Technical Notes — Attack vector: phishing via malicious scheduling links → fake Google sign‑in page → credential capture and real‑time MFA prompt generation. No known CVE; the threat relies on social engineering and custom phishing kits. Data types at risk: Google Workspace credentials, email content, internal contacts. Source: Malwarebytes Labs