Skip to content
Threat Feed
high threat

Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials

O-UNC-038 is conducting a multi-stage Adversary-in-the-Middle (AiTM) phishing operation that abuses legitimate SaaS platforms and recruiter identities to steal corporate Google Workspace credentials and bypass multi-factor authentication.

Intel 471 has investigated "Operation Fake KickOff," an ongoing, multi-stage phishing campaign attributed to O-UNC-038, which has been active since at least April 2025. This operation systematically abuses legitimate software-as-a-service (SaaS) platforms like Salesforce, SendGrid, and Zoho for email distribution to orchestrate corporate credential theft. Attackers impersonate real recruiters from major global brands across 15 industry verticals, primarily human resources consulting, to lure victims to deceptive, corporate-themed interview-scheduling interfaces. An adversary-in-the-middle (AiTM) toolkit, leveraging the Browser-in-the-Box (BitB) technique, is then deployed to harvest corporate Google Workspace credentials and live session tokens in real time, effectively bypassing standard multi-factor authentication (MFA) mechanisms. The campaign has identified 232 dedicated phishing domains and 80 command-and-control (C2) servers, with stolen data exfiltrated to Render cloud hosting infrastructure and subsequently to Telegram bots.

Attack Chain

  1. Attackers use legitimate SaaS marketing and email-delivery platforms such as Salesforce, SendGrid, and Zoho to distribute email lures.
  2. Email lures impersonate real recruiters from well-known organizations across various industries, often using typosquatted domains like fifahr-careers.com or adidas-hiring.com.
  3. Victims click on links within these emails, directing them to deceptive landing pages designed to mimic standard interview-scheduling interfaces, such as Calendly.
  4. The phishing landing page performs email validation, blocking standard personal email providers and compelling victims to enter corporate email addresses.
  5. Upon corporate email submission, the page initiates an Adversary-in-the-Middle (AiTM) attack, presenting a visually identical Google sign-in replica page via the Browser-in-the-Box (BitB) technique within the current tab to harvest credentials.
  6. As victims enter their corporate Google Workspace credentials, the AiTM toolkit orchestrates MFA bypasses by dynamically prompting for various second-factor challenges, including email codes, TOTP from Google Authenticator, SMS codes, and Google prompt notifications.
  7. The attackers capture corporate Google Workspace credentials and live session tokens in real-time as they are entered and authenticated.
  8. Stolen credentials and session data are transmitted via HTTP POST requests to C2 servers hosted primarily on the Render cloud platform (onrender.com) and then exfiltrated downstream to Telegram bots.

Impact

This operation has resulted in the theft of corporate Google Workspace login credentials and live session tokens, effectively bypassing multi-factor authentication. Organizations across 15 distinct industry verticals have been impersonated, with human resources consulting firms accounting for approximately 54% of observed phishing infrastructure. The campaign has been active since April 2025 and continues to successfully deploy live phishing pages and harvest corporate access, leading to unauthorized access to enterprise cloud environments. The broad impersonation and abuse of legitimate SaaS platforms increase the success rate of the attacks, making them difficult for targeted users to discern.

Recommendation

  • Deploy Sigma rules detecting suspicious DNS queries to onrender.com, as this domain is used for C2 infrastructure.
  • Implement Sigma rules identifying suspicious network connections to onrender.com from corporate endpoints.
  • Enhance email gateway and proxy logs monitoring for phishing attempts originating from legitimate SaaS platforms (e.g., Salesforce, SendGrid, Zoho) but redirecting to external, typosquatted, or unknown domains.
  • Conduct regular security awareness training emphasizing the risks of sophisticated phishing, recruiter impersonation, and the visual cues of legitimate OAuth pop-ups versus in-tab login redirects.
  • Implement FIDO2 or other phishing-resistant MFA solutions where feasible to mitigate the risk of AiTM attacks and session token theft.

Detection coverage 2

Detect DNS Queries to Render Cloud Platform C2 (Operation Fake KickOff)

medium

Detects DNS queries to domains associated with the Render cloud platform, which Operation Fake KickOff uses for Command and Control (C2) infrastructure to exfiltrate stolen credentials and session data.

sigma tactics: command_and_control techniques: T1071.001, T1102.002 sources: dns_query, windows

Detect Network Connections to Render Cloud Platform C2 (Operation Fake KickOff)

medium

Detects outbound network connections from internal hosts to domains on the Render cloud platform, identified as C2 infrastructure for Operation Fake KickOff to exfiltrate stolen data.

sigma tactics: command_and_control techniques: T1071.001, T1102.002 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

TypeValue
domainonrender.com