Clever disguises and dynamic evasion
Sublime’s analysis revealed the attack begins with a message impersonating Google Careers, sent in multiple languages (English, Spanish, Swedish, among others), and from varied sender addresses that mimic recruiting services. The trick continues with a “Book a Call” link leading to a landing page styled like Google’s scheduler that leads to a standard fake Google login.
The attackers used newly registered domains (apply.gcareersapplyway[.]com) and employed HTML tricks like breaking up the text “Google Careers” across multiple elements to evade scanners.
“We observed an interesting evasion tactic in (these) attacks,” Sublime researchers said. “The attackers broke up the words ‘Google Careers’ with HTML formatting to evade text scanners. In one case, they put every letter of ‘Google’ into its own
Within the detected set of senders, Sublime observed multiple cases of “service abuse or compromise” for message delivery. Abused services included Salesforce, Recruitee, Addecco, Muckrack, etc. Attackers also incorporated a spoofed human verification step: after the “Book a Call” link, the victim is presented with a real or impersonated Cloudflare Turnstile page before being redirected to the fake scheduler and ultimately to the credential-capture form.
What must organizations must
Sublime observed a sophisticated backend infrastructure supporting the phishing operation. Rather than just relying on a static fake login page, the attackers used newly registered domains (like gappywave[.]com, gcareerspeople[.]com) and what appeared to be command-and-control (C2) servers such as satoshicommands[.]com to process stolen credentials.
