AiTM phishing against Google Workspace exposes ad account risk

At a glance

What this is: This is Push Security’s analysis of a multi-stage AiTM phishing campaign targeting Google Workspace and Facebook Business accounts, with the key finding that attackers were using targeted lures and anti-analysis tricks to steal access to ad management environments.

Why it matters: It matters because IAM teams have to treat SSO, IdP hardening, and downstream app controls as part of the same attack surface when business-critical accounts sit behind a single identity front door.

By the numbers:

• We identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands.

👉 Read Push Security's analysis of Calendly-themed AiTM phishing against Google Workspace and Facebook Business accounts

Context

AiTM phishing is a credential interception technique where the attacker sits between the user and the real login flow, capturing session tokens or credentials after a convincing fake sign-in. In this campaign, the primary target was Google Workspace as the enterprise identity provider, which means compromise at the login layer could open access to downstream business applications and ad management systems.

The broader governance problem is not just phishing resistance. It is the gap between IdP protection, SSO configuration, and the business accounts that sit behind them, especially when attackers are intentionally targeting accounts used to manage digital ads and then iterating the lure, infrastructure, and anti-analysis checks to keep the campaign alive.

Key questions

Q: How should security teams defend against AiTM phishing against enterprise IdPs?

A: Security teams should assume the attacker may capture a valid session after the login succeeds, not just the password. That means using phishing-resistant authentication, monitoring anomalous token use, and tightening session controls so a stolen browser context is less useful. The goal is to reduce the value of authenticated state, not just block obvious phishing pages.

Q: Why do business ad accounts attract identity attackers?

A: Business ad accounts are attractive because they combine spend authority, brand trust, and access to platforms that can be monetised or abused quickly. Once an attacker gains the primary identity used to manage those accounts, the compromise can spread into downstream apps and revenue-facing functions. That makes ad identities high-value targets, not peripheral users.

Q: What breaks when SSO trust is too permissive across identity providers?

A: Overly permissive cross-IdP trust can let an attacker use one compromised identity to reach applications that were assumed to be protected by a different provider. The failure is a trust boundary that exists on paper but not in practice. Organisations should map every federation path and validate which accounts can authenticate where.

Q: What should teams do when phishing uses staged lures and fake scheduling pages?

A: Teams should review the full interaction sequence, not only the first email. Staged lures often delay the malicious link until trust is established, then use familiar services like calendaring tools to lower suspicion. Detection and user training should reflect that multi-step behaviour, because a single-message filter will miss the pattern.

Technical breakdown

How AiTM phishing intercepts Google Workspace sessions

An attacker-in-the-middle phishing kit proxies the victim’s login session to the real identity provider while controlling the page the user sees. That allows the attacker to capture credentials, cookies, or session tokens after authentication, which is materially worse than a simple password harvest because the session can already satisfy MFA. In a Google Workspace context, that stolen session can become the front door to email, documents, and SSO-backed applications. The security failure is not only password theft but the interception of authenticated state before the user reaches a legitimate application.

Practical implication: move beyond password checks and treat session interception as a first-class IdP threat.

Why targeted lures and multi-stage delivery defeat common controls

The campaign used a job opportunity lure, then delayed the malicious link until after the victim replied, which reduces the chance of automated email scanning catching a suspicious URL. The fake Calendly step added another layer of trust because it borrowed a familiar scheduling brand before redirecting into the phishing flow. This is social engineering combined with workflow shaping: the attacker controls timing, message sequence, and user expectation to make the malicious link look routine instead of urgent. That design matters because many defences are tuned to obvious, single-message phishing rather than staged conversion.

Practical implication: inspect phishing in the full interaction chain, not just the first email.

Why ad management accounts are high-value identity targets

Business ad accounts are attractive because they sit at the intersection of brand trust, spend authority, and downstream platform access. Once inside a primary enterprise IdP, an attacker may pivot to ad managers, SSO-connected apps, or cross-IdP configurations that were never meant to be exposed to hostile reuse. That turns one compromised login into a platform for fraud, malvertising, or resale to other criminal actors. The article shows that this is not random credential theft. It is a deliberate focus on identity footholds that can be monetised quickly across multiple services.

Practical implication: classify ad management access as sensitive business identity, not just marketing tooling.

Threat narrative

Attacker objective: The attacker’s objective was to take over valuable enterprise and ad-management identities that could be reused, sold, or leveraged for broader fraud and malvertising activity.

1. Entry began with highly targeted Calendly-themed phishing lures delivered through staged email messages that appeared to come from real people and organizations.
2. Credential access was achieved through an AiTM phishing page that proxied the Google Workspace sign-in flow and used anti-analysis checks to limit inspection.
3. Impact followed when stolen enterprise identity access could be reused against Google Workspace, downstream apps, and business ad management accounts.
4. The campaign also reused infrastructure and moved across Google and Facebook account targets, showing repeatable identity abuse rather than a one-off phish.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity front doors have become the real control plane for business ad risk. When attackers compromise the primary enterprise IdP, they are not just stealing a mailbox or a single app login. They are gaining a reusable entry point into downstream apps, ad managers, and other business systems that trust the same identity fabric. The implication is that identity governance for marketing and ad operations can no longer sit outside core IAM decision-making.

AiTM phishing now breaks the assumption that MFA alone closes the access risk window. These attacks capture authenticated state after the user completes the login ceremony, which means the control was bypassed rather than absent. That matters because many programmes still treat MFA success as the end of the risk story, when in practice it may be only the start of session theft.

Targeted phishing against business ad accounts shows how credential theft is being industrialised across identity domains. The same access can support fraud, resale, malvertising, or secondary intrusion, depending on who receives it next. That means identity security teams need to evaluate not only who can log in, but which accounts can be monetised fastest once compromised.

Cross-IdP impersonation is a governance gap, not just a configuration nuisance. If multiple identity providers can authenticate the same user and SSO trust is too permissive, an attacker can move laterally through the identity fabric without needing a traditional perimeter breach. The practitioner conclusion is that federation design must be reviewed as an attack surface, not merely an integration choice.

Calendly-themed delivery is a reminder that trust signals are now being borrowed, not forged. The attacker did not need a perfect clone of the target brand. They needed a believable sequence that combined a familiar scheduling service, a plausible recruiter persona, and timing that reduced suspicion. Identity defence has to account for that borrowed trust model.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• With six distinct secrets manager instances on average, fragmentation can weaken centralised control even before a phishing campaign turns stolen identity into reusable access.

What this signals

Ephemeral trust is now the real issue: once an attacker can capture a live session after authentication, the control problem shifts from identity proofing to session integrity and downstream trust. For IAM teams, that means phishing-resistant authentication is necessary but not sufficient, and the review point must move to token replay, federation paths, and manager-account monitoring.

Push-style AiTM campaigns also show why identity programmes need to treat business-adjacent accounts as privileged assets. When ad-management access can be reused across brands or monetised in criminal markets, the security boundary is no longer the inbox. Monitoring must extend into the apps, manager accounts, and cross-IdP relationships that attackers actually want to inherit.

The operational signal to watch is whether your controls can distinguish routine login from hostile reuse across multiple services and identity providers. If they cannot, the programme is still optimised for password theft, not session theft, and that gap will keep widening as attackers continue to borrow trusted brands and familiar workflows to evade inspection.

For practitioners

• Tighten IdP session protections Require phishing-resistant authentication and strengthen session binding so a stolen browser session is harder to replay after login. Focus on controls that reduce the value of intercepted cookies and tokens, not only on the password prompt.
• Review cross-IdP trust paths Map every environment where users can authenticate through more than one identity provider and validate the SSO trust rules that connect them. Pay special attention to overly permissive federation that can turn one compromised account into access across multiple platforms.
• Segment business ad management access Treat ad management accounts as privileged business identities and apply stronger monitoring, conditional access, and step-up controls around manager accounts and account-addition events. A compromise here can be monetised quickly and at scale.
• Train users on staged phishing flows Update awareness content to cover delayed-link phishing, fake scheduling pages, and browser-in-the-browser techniques so staff recognise multi-step lures that do not look suspicious in a single message.

Key takeaways

• AiTM phishing turns successful logins into a security failure because the attacker can intercept authenticated state, not just credentials.
• Business ad accounts are a high-value target because one identity compromise can spread into revenue, brand, and downstream application access.
• Defence now depends on IdP hardening, federation review, and session-level detection, not on inbox filtering alone.

Key terms

• AiTM phishing: An attacker-in-the-middle phishing attack proxies the user’s login to the real service while intercepting credentials or session tokens. The victim believes they authenticated normally, but the attacker captures reusable access artifacts that can bypass ordinary password and MFA checks.
• Cross-IdP impersonation: Cross-IdP impersonation occurs when a user can authenticate through more than one identity provider and the trust rules are loose enough for an attacker to abuse that overlap. It creates a governance problem where one compromised identity path can unlock apps that were assumed to be protected elsewhere.
• Business ad management account: A business ad management account is an identity-backed control point used to create, administer, and spend across advertising properties for an organisation or agency. Because it can control budgets and brand presence, compromise can quickly translate into fraud, abuse, or monetisable access.
• Session replay: Session replay is the reuse of an authenticated browser session after the original user has completed sign-in. In identity security, it matters because the attacker may never need to know the password again once the session token is stolen or proxied.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: LLMjacking: How Attackers Hijack AI Using Compromised NHIs. Read the original.