<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>O-UNC-038 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/o-unc-038/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 20:50:29 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/o-unc-038/feed.xml" rel="self" type="application/rss+xml"/><item><title>Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials</title><link>https://feed.craftedsignal.io/briefs/2026-07-operation-fake-kickoff/</link><pubDate>Wed, 15 Jul 2026 20:50:29 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-operation-fake-kickoff/</guid><description>O-UNC-038 is conducting a multi-stage Adversary-in-the-Middle (AiTM) phishing operation that abuses legitimate SaaS platforms and recruiter identities to steal corporate Google Workspace credentials and bypass multi-factor authentication.</description><content:encoded><![CDATA[<p>Intel 471 has investigated &quot;Operation Fake KickOff,&quot; an ongoing, multi-stage phishing campaign attributed to O-UNC-038, which has been active since at least April 2025. This operation systematically abuses legitimate software-as-a-service (SaaS) platforms like Salesforce, SendGrid, and Zoho for email distribution to orchestrate corporate credential theft. Attackers impersonate real recruiters from major global brands across 15 industry verticals, primarily human resources consulting, to lure victims to deceptive, corporate-themed interview-scheduling interfaces. An adversary-in-the-middle (AiTM) toolkit, leveraging the Browser-in-the-Box (BitB) technique, is then deployed to harvest corporate Google Workspace credentials and live session tokens in real time, effectively bypassing standard multi-factor authentication (MFA) mechanisms. The campaign has identified 232 dedicated phishing domains and 80 command-and-control (C2) servers, with stolen data exfiltrated to Render cloud hosting infrastructure and subsequently to Telegram bots.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attackers use legitimate SaaS marketing and email-delivery platforms such as Salesforce, SendGrid, and Zoho to distribute email lures.</li>
<li>Email lures impersonate real recruiters from well-known organizations across various industries, often using typosquatted domains like <code>fifahr-careers.com</code> or <code>adidas-hiring.com</code>.</li>
<li>Victims click on links within these emails, directing them to deceptive landing pages designed to mimic standard interview-scheduling interfaces, such as Calendly.</li>
<li>The phishing landing page performs email validation, blocking standard personal email providers and compelling victims to enter corporate email addresses.</li>
<li>Upon corporate email submission, the page initiates an Adversary-in-the-Middle (AiTM) attack, presenting a visually identical Google sign-in replica page via the Browser-in-the-Box (BitB) technique within the current tab to harvest credentials.</li>
<li>As victims enter their corporate Google Workspace credentials, the AiTM toolkit orchestrates MFA bypasses by dynamically prompting for various second-factor challenges, including email codes, TOTP from Google Authenticator, SMS codes, and Google prompt notifications.</li>
<li>The attackers capture corporate Google Workspace credentials and live session tokens in real-time as they are entered and authenticated.</li>
<li>Stolen credentials and session data are transmitted via HTTP POST requests to C2 servers hosted primarily on the Render cloud platform (<code>onrender.com</code>) and then exfiltrated downstream to Telegram bots.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This operation has resulted in the theft of corporate Google Workspace login credentials and live session tokens, effectively bypassing multi-factor authentication. Organizations across 15 distinct industry verticals have been impersonated, with human resources consulting firms accounting for approximately 54% of observed phishing infrastructure. The campaign has been active since April 2025 and continues to successfully deploy live phishing pages and harvest corporate access, leading to unauthorized access to enterprise cloud environments. The broad impersonation and abuse of legitimate SaaS platforms increase the success rate of the attacks, making them difficult for targeted users to discern.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy Sigma rules detecting suspicious DNS queries to <code>onrender.com</code>, as this domain is used for C2 infrastructure.</li>
<li>Implement Sigma rules identifying suspicious network connections to <code>onrender.com</code> from corporate endpoints.</li>
<li>Enhance email gateway and proxy logs monitoring for phishing attempts originating from legitimate SaaS platforms (e.g., Salesforce, SendGrid, Zoho) but redirecting to external, typosquatted, or unknown domains.</li>
<li>Conduct regular security awareness training emphasizing the risks of sophisticated phishing, recruiter impersonation, and the visual cues of legitimate OAuth pop-ups versus in-tab login redirects.</li>
<li>Implement FIDO2 or other phishing-resistant MFA solutions where feasible to mitigate the risk of AiTM attacks and session token theft.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>phishing</category><category>credential-theft</category><category>aitm</category><category>social-engineering</category><category>mfa-bypass</category><category>saas-abuse</category><category>google-workspace</category></item></channel></rss>