{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/o-unc-038/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["O-UNC-038"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Workspace"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","aitm","social-engineering","mfa-bypass","saas-abuse","google-workspace"],"_cs_type":"threat","_cs_vendors":["Google"],"content_html":"\u003cp\u003eIntel 471 has investigated \u0026quot;Operation Fake KickOff,\u0026quot; an ongoing, multi-stage phishing campaign attributed to O-UNC-038, which has been active since at least April 2025. This operation systematically abuses legitimate software-as-a-service (SaaS) platforms like Salesforce, SendGrid, and Zoho for email distribution to orchestrate corporate credential theft. Attackers impersonate real recruiters from major global brands across 15 industry verticals, primarily human resources consulting, to lure victims to deceptive, corporate-themed interview-scheduling interfaces. An adversary-in-the-middle (AiTM) toolkit, leveraging the Browser-in-the-Box (BitB) technique, is then deployed to harvest corporate Google Workspace credentials and live session tokens in real time, effectively bypassing standard multi-factor authentication (MFA) mechanisms. The campaign has identified 232 dedicated phishing domains and 80 command-and-control (C2) servers, with stolen data exfiltrated to Render cloud hosting infrastructure and subsequently to Telegram bots.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttackers use legitimate SaaS marketing and email-delivery platforms such as Salesforce, SendGrid, and Zoho to distribute email lures.\u003c/li\u003e\n\u003cli\u003eEmail lures impersonate real recruiters from well-known organizations across various industries, often using typosquatted domains like \u003ccode\u003efifahr-careers.com\u003c/code\u003e or \u003ccode\u003eadidas-hiring.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eVictims click on links within these emails, directing them to deceptive landing pages designed to mimic standard interview-scheduling interfaces, such as Calendly.\u003c/li\u003e\n\u003cli\u003eThe phishing landing page performs email validation, blocking standard personal email providers and compelling victims to enter corporate email addresses.\u003c/li\u003e\n\u003cli\u003eUpon corporate email submission, the page initiates an Adversary-in-the-Middle (AiTM) attack, presenting a visually identical Google sign-in replica page via the Browser-in-the-Box (BitB) technique within the current tab to harvest credentials.\u003c/li\u003e\n\u003cli\u003eAs victims enter their corporate Google Workspace credentials, the AiTM toolkit orchestrates MFA bypasses by dynamically prompting for various second-factor challenges, including email codes, TOTP from Google Authenticator, SMS codes, and Google prompt notifications.\u003c/li\u003e\n\u003cli\u003eThe attackers capture corporate Google Workspace credentials and live session tokens in real-time as they are entered and authenticated.\u003c/li\u003e\n\u003cli\u003eStolen credentials and session data are transmitted via HTTP POST requests to C2 servers hosted primarily on the Render cloud platform (\u003ccode\u003eonrender.com\u003c/code\u003e) and then exfiltrated downstream to Telegram bots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis operation has resulted in the theft of corporate Google Workspace login credentials and live session tokens, effectively bypassing multi-factor authentication. Organizations across 15 distinct industry verticals have been impersonated, with human resources consulting firms accounting for approximately 54% of observed phishing infrastructure. The campaign has been active since April 2025 and continues to successfully deploy live phishing pages and harvest corporate access, leading to unauthorized access to enterprise cloud environments. The broad impersonation and abuse of legitimate SaaS platforms increase the success rate of the attacks, making them difficult for targeted users to discern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy Sigma rules detecting suspicious DNS queries to \u003ccode\u003eonrender.com\u003c/code\u003e, as this domain is used for C2 infrastructure.\u003c/li\u003e\n\u003cli\u003eImplement Sigma rules identifying suspicious network connections to \u003ccode\u003eonrender.com\u003c/code\u003e from corporate endpoints.\u003c/li\u003e\n\u003cli\u003eEnhance email gateway and proxy logs monitoring for phishing attempts originating from legitimate SaaS platforms (e.g., Salesforce, SendGrid, Zoho) but redirecting to external, typosquatted, or unknown domains.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training emphasizing the risks of sophisticated phishing, recruiter impersonation, and the visual cues of legitimate OAuth pop-ups versus in-tab login redirects.\u003c/li\u003e\n\u003cli\u003eImplement FIDO2 or other phishing-resistant MFA solutions where feasible to mitigate the risk of AiTM attacks and session token theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T20:50:29Z","date_published":"2026-07-15T20:50:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-operation-fake-kickoff/","summary":"O-UNC-038 is conducting a multi-stage Adversary-in-the-Middle (AiTM) phishing operation that abuses legitimate SaaS platforms and recruiter identities to steal corporate Google Workspace credentials and bypass multi-factor authentication.","title":"Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials","url":"https://feed.craftedsignal.io/briefs/2026-07-operation-fake-kickoff/"}],"language":"en","title":"CraftedSignal Threat Feed - O-UNC-038","version":"https://jsonfeed.org/version/1.1"}