Scammers have begun impersonating outreach from Google’s “Careers” division to trick targets into giving away their credentials.
According to a Sublime Security finding, the attackers are sending messages that appear to come from Google’s recruiting team — asking “Are you open to talk?” — and take victims through a fake booking process that lands them on a spoofed login page.
The scam is exploiting job seekers’ attention and is using clever evasions to slip past email defenses, relying on human error more than technical breach, Sublime researchers noted in a blog post. The attack’s endgame is to harvest Google account credentials and gain full access to the victim’s emails, files, and cloud data.
Clever disguises and dynamic evasion
Sublime’s analysis revealed the attack begins with a message impersonating Google Careers, sent in multiple languages (English, Spanish, Swedish, among others), and from varied sender addresses that mimic recruiting services. The trick continues with a “Book a Call” link leading to a landing page styled like Google’s scheduler that leads to a standard fake Google login.
The attackers used newly registered domains (apply.gcareersapplyway[.]com) and employed HTML tricks like breaking up the text “Google Careers” across multiple elements to evade scanners.
“We observed an interesting evasion tactic in (these) attacks,” Sublime researchers said. “The attackers broke up the words ‘Google Careers’ with HTML formatting to evade text scanners. In one case, they put every letter of ‘Google’ into its own <label> element, effectively breaking up the word into sec labels, not one word.”
Within the detected set of senders, Sublime observed multiple cases of “service abuse or compromise” for message delivery. Abused services included Salesforce, Recruitee, Addecco, Muckrack, etc. Attackers also incorporated a spoofed human verification step: after the “Book a Call” link, the victim is presented with a real or impersonated Cloudflare Turnstile page before being redirected to the fake scheduler and ultimately to the credential-capture form.
What must organizations must
Sublime observed a sophisticated backend infrastructure supporting the phishing operation. Rather than just relying on a static fake login page, the attackers used newly registered domains (like gappywave[.]com, gcareerspeople[.]com) and what appeared to be command-and-control (C2) servers such as satoshicommands[.]com to process stolen credentials.
Additionally, the HTML and JavaScript of the fake pages included interactions with a “gw.php” file that handles backend communication, indicating a more dynamic phishing kit rather than a simple static clone page.
Sublime published a list of indicators of compromise (IOCs), including WebSocket servers and a long list of landing-page domains. The cybersecurity company did not add any recommendations, but basic hygiene against the campaign could include enforcing strong multi-factor authentication (MFA), deploying identity-first defense strategies, monitoring for unusual login patterns and geographies, and training employees to treat unsolicited recruiter invitations with skepticism. While the threat actor(s) behind this campaign remain unidentified, similar attacks have been reported recently, with one operation (Contagious Interviews) even attributed to a North Korean APT.