A sophisticated phishing campaign is targeting job seekers by posing as Google Careers recruiters, luring victims with fake job offers before stealing Gmail login credentials.
Researchers warn that the phishing campaign abuses Salesforce subdomain spoofing and Cloudflare protections to appear legitimate, tricking victims into surrendering credentials.
The Hidden risks of compromised Gmail credentials
The phishing operation is designed to harvest Gmail credentials at scale, which can have cascading effects across personal and corporate accounts.
Because Gmail often serves as a primary identity for services ranging from Google Workspace to multi-factor authentication resets, a single compromised inbox could open the door to widespread account takeovers.
This type of phishing scheme should concern both job seekers and enterprise defenders tasked with preventing credential-stuffing attacks and lateral movement within hybrid work environments.
Breaking down the scam
The phishing emails originate from a spoofed Salesforce subdomain and use enticing subject lines such as “Exclusive Google Careers Opportunity.”
Recipients are prompted to click a “View the role” button that redirects to a fake application portal hosted at domains like apply[.]grecruitingwise[.]com, which sits behind Cloudflare infrastructure.
At first glance, the site appears to be a legitimate Google application page. Victims are asked to provide personal information — full name, phone number, and address — which is then transmitted via HTTP POST to satoshicommands[.]com, the attacker’s backend domain.
From there, users are funneled into a fraudulent Google login form, where they are prompted to enter their Gmail credentials.
Behind the scenes, malicious JavaScript establishes a persistent WebSocket connection to the attacker’s server, polling every two seconds for commands. These instructions guide the victim through additional verification prompts, including OTP or multi-factor authentication, making the attack resilient against basic two-step protections. Once credentials are captured, victims are redirected to a generic “Processing your request” page, leaving them unaware of the compromise.
The investigation identified dozens of related phishing domains, including apply[.]grecruitdigital[.]com, gteamhirehub[.]com, and gcandidatespath[.]com.
Several variants were also hosted on Vercel app subdomains, highlighting the attackers’ ability to dynamically spin up infrastructure to avoid takedowns. Reddit comments and URLScan.io analyses indicate that this campaign has been active for months, with consistent reports of victims.
Security steps to take now
To blunt the impact of similar phishing campaigns, enterprises should layer technical defenses with user vigilance through the following controls:
- Enforce domain verification: Train employees to validate emails by checking sender domains against official sites.
- Deploy email gateway filtering: Detect and block Salesforce subdomain spoofing and suspicious sites.
- Block malicious infrastructure at the DNS level: Proactively blocklist known phishing domains and monitor for Cloudflare-hosted lookalikes.
- Build phishing awareness: Educate staff on themed scams, including fake CAPTCHAs and credential-harvesting portals.
- Mandate multi-factor authentication: Require 2FA across corporate Gmail/Google Workspace accounts and encourage extension to personal accounts.
- Integrate threat intelligence feeds: Share and update indicators (domains, IPs, infrastructure) across teams to quickly disrupt campaigns.
The new face of phishing attacks
This phishing campaign highlights how attackers are evolving beyond basic email lures to exploit trust in well-known infrastructure providers.
By embedding attacks within Salesforce-originated traffic and using Cloudflare’s protective layers, adversaries increase their chances of bypassing filters and convincing victims.
Phishing has evolved beyond typos and crude scams. Today’s campaigns mimic real recruiters, exploit trusted platforms, and increasingly weaponize AI to generate convincing lures.
This means traditional anti-phishing training must be paired with stronger technical controls, adaptive monitoring, and resilient identity protection strategies.
The collapse of trust in online interactions points to one solution: adopting Zero-Trust principles.