TL;DR: Attackers are targeting Google Ad Manager accounts to run malvertising, ad fraud, account resale, and extortion schemes, while also using hijacked accounts to reach broader SSO-linked services and monetise existing ad spend, according to Push Security. The security gap is not just phishing resistance, but browser-level identity protection for high-value commercial accounts.
At a glance
What this is: This is an analysis of why Google Ad Manager accounts have become a high-value identity target and how compromise turns into malvertising, fraud, resale, and downstream access abuse.
Why it matters: It matters because ad accounts now sit inside broader identity and access paths, so a compromise can affect marketing spend, SaaS access, and customer-facing trust across NHI, autonomous, and human identity programmes.
By the numbers:
- 3 in 5 allow you to access an account using a new login method without doing any further verification checks.
👉 Read Push Security's analysis of Google Ad Manager account takeovers and malvertising
Context
Google Ad Manager accounts have become an identity and access problem, not just an advertising operations issue. When attackers gain control, they can redirect budgets, insert malicious campaigns, or move into related Google and SaaS access paths that were never meant to be governed as part of ad operations. The primary keyword here is Google Ad Manager accounts, and that makes the exposure materially different from ordinary brand impersonation.
The basic failure is trust in a high-spend account that already looks legitimate to the platform and to fraud controls. That trust makes hijacked ad accounts useful for malvertising, ad fraud, and resale, while browser-delivered phishing bypasses the email-centric controls many teams still depend on. For IAM and security teams, the problem spans human credentials, session abuse, and the downstream non-human access that rides on enterprise identity relationships.
Key questions
Q: How should security teams reduce the risk of Google Ad Manager account takeover?
A: Treat ad accounts as privileged identities, not marketing-only logins. Restrict who can manage campaigns, require strong re-verification for login method changes, and monitor spend, destination, and billing changes as security signals. The practical goal is to break the path from phishing into account abuse before the attacker can monetise the account or pivot into related SaaS access.
Q: Why do compromised ad accounts create more risk than simple ad fraud?
A: Because the account already carries trust, spend authority, and often downstream access through SSO. That lets an attacker run malicious campaigns, burn budgets, sell access, or move into connected enterprise apps. The risk is therefore identity-driven, not just financial, and the compromise can spread across marketing operations and broader access governance.
Q: What breaks when marketing identities are excluded from identity governance?
A: The organisation loses visibility into accounts that can publish, spend, and federate into other systems. That creates blind spots around abuse, session hijacking, and account resale, especially when one email unlocks multiple trust domains. Governance fails because the account is treated as a business tool instead of a controlled identity with measurable blast radius.
Q: How can teams tell if browser-based phishing controls are working?
A: They should see fewer successful credential captures from search-delivered lures, faster detection of malicious redirect chains, and lower rates of account abuse after click-through. If malicious ads still reach users and session theft still succeeds, email-first controls are not enough. The control should reduce post-click compromise, not just block known phishing messages.
Technical breakdown
Why compromised ad accounts become malvertising infrastructure
A compromised ad account is not only a login problem. It becomes a distribution layer for malicious ads, redirects, and account takeovers because the attacker inherits the account’s billing history, trust signals, and campaign controls. That matters on platforms such as Google Search, where sponsored placements are seen quickly and clicked at scale. Attackers can swap legitimate creative for phishing lures, direct users to AITM pages, or launch scams that harvest browser sessions and credentials. The account itself is the delivery mechanism, while the user browser becomes the enforcement point for the attack.
Practical implication: teams need browser-side detection and campaign integrity controls, not only email security and MFA.
How ad fraud and budget exhaustion work after account takeover
Once inside, attackers can create campaigns, modify destinations, and burn through spend on traffic they control. Because ad accounts often have established credit lines and expected monthly spend, abusive activity can continue long enough to produce real monetary loss before fraud flags trigger. The same access can also be used to launder money through advertising workflows or sell the account onward as a commodity. In practice, the threat is not limited to one compromised login. It is the conversion of account trust into a financial abuse channel.
Practical implication: organisations should correlate ad spend anomalies with identity events and campaign changes in the same monitoring flow.
Why ad account compromise can extend into broader SSO access
An ad account is often also a corporate Google identity, and that identity may be linked to other SaaS applications through SSO. If the email address is reused across identity providers, an attacker may move from ad platform abuse into unrelated enterprise apps without needing a fresh compromise. That is a familiar identity pattern: one trusted account becomes a bridge to more privileged access because the organisation has treated the ad workflow as separate from the identity plane. The security issue is cross-app trust, not only credential theft.
Practical implication: map every ad account to downstream SSO reach and remove assumptions that marketing identities are isolated.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
High-spend ad accounts are now identity assets, not just marketing assets. The moment an account can move budget, publish content, and inherit trust, it becomes a non-human identity with real blast radius. That is why compromise of Google Ad Manager accounts is best understood as access governance failure, not simply phishing success. Practitioners should treat ad administration as part of identity security scope.
Browser-based attack delivery has outgrown email-centric phishing controls. The article’s core pattern is a malicious ad or spoofed marketing site that leads users into an AITM flow. That bypasses the traditional mail gateway model many organisations still use as their first line of defence. Teams that only measure inbox threats are missing the delivery surface where the abuse now starts.
Cross-IdP impersonation turns a single ad login into a wider identity bridge. The article notes that the same email can unlock access across different identity providers and SaaS apps. That means the issue is not just account takeover, but account portability across trust domains. For IAM teams, the control gap is identity linking and re-verification, not only password strength.
Malvertising creates a shared failure mode across human identity and NHI governance. Human users click the lure, but the attacker monetises access through managed advertising identities, billing relationships, and downstream service accounts. The field needs to stop separating marketing access from identity risk. The practitioner conclusion is simple: if an account can spend, publish, and federate, it belongs in governance.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- If ad accounts can federate into broader SaaS access, teams should review lifecycle controls in the NHI Lifecycle Management Guide before compromise becomes a governance problem.
What this signals
Identity scope has to expand beyond the inbox and the endpoint. Search-delivered phishing, impersonated marketing tools, and ad platform abuse mean the attack surface is now the browser session and the account graph behind it. Security programmes that still rely on mail filtering as the main phishing control will miss the path attackers are actually using.
Ad accounts belong in the same governance conversation as other privileged identities. If an account can spend budget, publish externally visible content, and reach connected SaaS apps, it has operational privilege that should be reviewed, scoped, and monitored like any other sensitive identity. That is especially true where SSO linking turns a marketing login into enterprise access.
Browser-mediated abuse is becoming a repeatable control gap. The pattern here is not unique to one vendor or one platform. It reflects a wider shift in which attackers use legitimate web workflows to sidestep email-centric detection and exploit accounts that were never built with identity governance in mind.
For practitioners
- Map ad accounts to downstream identity reach Inventory every Google Ad Manager, MCC, and related marketing identity, then document which SSO-connected apps, billing flows, and publisher accounts each one can reach.
- Monitor campaign changes as identity events Alert on new campaigns, destination edits, billing changes, and unusual spend spikes as security events, not only as marketing operations changes.
- Add browser-layer detection for malvertising paths Use controls that can inspect the user session, page destination, and post-click behaviour because email and endpoint-only controls do not reliably see search-delivered phishing.
- Re-verify cross-IdP account access Require additional verification when a Google identity is used to access apps through a new login method or a different identity provider, especially where the same email is reused.
Key takeaways
- Compromised ad manager accounts are high-value identities because they can move money, publish public content, and open access to connected services.
- The scale of the problem is amplified by large ad budgets and by browser-delivered phishing that bypasses controls built around email.
- Teams need to govern ad accounts as privileged identities, with browser-side detection, access mapping, and re-verification for cross-IdP use.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Ad account compromise starts with compromised credentials and session abuse. |
| NIST CSF 2.0 | PR.AC-4 | Cross-IdP and SaaS access depends on access control and account verification. |
| NIST Zero Trust (SP 800-207) | Browser-delivered phishing and session abuse fit a continuous verification model. |
Reduce credential theft exposure and harden login assurance for privileged marketing identities.
Key terms
- Ad Manager Account: A managed advertising identity used to create, control, and pay for ad campaigns across platforms such as Google, Facebook, or LinkedIn. In security terms, it is a privileged identity because it can spend money, publish externally visible content, and often connect to other enterprise systems through shared identity infrastructure.
- Malvertising: The use of advertising channels to deliver malicious content, redirects, or phishing pages. The account behind the ad is the real control point, which means compromise of a legitimate ad manager can turn trusted traffic into a delivery mechanism for credential theft, malware, or fraud.
- AITM Phishing: Adversary-in-the-middle phishing is a technique that intercepts a user’s login session in real time so the attacker can capture tokens or cookies after authentication. It is more dangerous than simple password theft because the attacker can often reuse the session without needing to know the password again.
- Cross-IdP Impersonation: A condition where one identity, often tied to an email address, is accepted across different identity providers or login methods without fresh verification. The risk is that a compromised account in one domain can be reused to reach unrelated applications in another, expanding the blast radius of a single takeover.
Deepen your knowledge
Google Ad Manager account governance, browser-based phishing, and identity-linked ad abuse are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still treats marketing identities as separate from access governance, this topic is directly relevant.
This post draws on content published by Push Security: Attackers are going out of their way to target Google Ad Manager accounts. Read the original.
Published by the NHIMG editorial team on 2026-01-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
