Malvertising through Google Search exposes browser-based identity risk

At a glance

What this is: This is an analysis of a malvertising campaign that used Google Search ads to redirect users to phishing pages impersonating Google Ads login flows.

Why it matters: It matters because identity teams now have to account for browser-based delivery paths, malicious OAuth grants, and account takeover risk across NHI, autonomous, and human identity programmes.

By the numbers:

• 4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search.

👉 Read Push Security's analysis of Google Search malvertising and phishing delivery

Context

Malvertising is the use of paid ads to deliver a phishing or malware path, and it changes the identity problem because the browser becomes the entry point instead of email. In this campaign, Google Search was the lure and the login page impersonation was the trap, which means the control gap sits at user interaction and browser trust rather than inbox filtering. That is directly relevant to human IAM, browser-based auth flows, and adjacent NHI account access.

Security teams often model phishing as a message problem, but search-ad delivery breaks that assumption. When attackers can intercept users who are simply trying to reach a legitimate login page, the governance challenge expands to URL verification, session-aware detection, and controls that can observe actions as they happen in the browser.

Key questions

Q: How should security teams defend against malvertising that targets login pages through search results?

A: Security teams should inspect browser journeys before authentication, not just email or network traffic after delivery. That means detecting sponsored-result redirects, lookalike domains, and unexpected login destinations, then applying higher scrutiny when users reach sensitive accounts through search paths rather than trusted bookmarks or direct navigation.

Q: Why does malvertising create a different phishing problem than email-based attacks?

A: Malvertising shifts the trust boundary from inbox controls to the browser and search engine results page. Users are less suspicious of a search result than a message link, so the attacker can intercept account access earlier in the journey and often with less obvious warning signs.

Q: What do security teams get wrong about malicious ads and credential theft?

A: Teams often focus on takedown after the fact instead of runtime detection while the page is live. That misses the real loss event, which is the moment a user enters credentials, approves consent, or establishes a session on attacker-controlled infrastructure.

Q: Who is accountable when browser-based phishing leads to account takeover?

A: Accountability usually spans identity security, endpoint protection, and the business owners of high-value accounts such as advertising platforms. The practical answer is to define who owns browser-based authentication risk, who monitors suspicious redirects, and who can revoke access or sessions immediately.

Technical breakdown

How search-ad malvertising turns the browser into the delivery layer

Malvertising abuses paid search placement to place a malicious URL above or alongside legitimate results. The user does not need to click an email attachment or message link, which means traditional anti-phishing controls lose visibility at the earliest stage. Once the ad is clicked, the attacker can chain redirects through disposable hosting, such as dynamic subdomains and page builders, to reach a credential-harvesting page. This is effective because the interaction looks like normal web navigation until the final page loads. The real security problem is not only the fake page, but the fact that the user arrived there through a trusted browser path.

Practical implication: monitor search-ad driven browser journeys and inspect the destination before credentials or OAuth consent are entered.

Why AiTM phishing and OAuth abuse fit this delivery model

Adversary-in-the-middle, or AiTM, phishing sits between the user and the real service so the attacker can capture session material after the victim authenticates. That makes malvertising especially useful, because the browser redirect can lead directly to a page that steals credentials, session cookies, or OAuth consent. The article also points to malicious OAuth grants and browser-based session hijacking as part of the same attack surface. In practice, search-based delivery is a way to collect identity artefacts without relying on compromised email infrastructure. It is a distribution problem, but the payload is still identity abuse.

Practical implication: combine browser telemetry with controls that detect suspicious OAuth consent, cookie theft, and proxy-based credential capture.

Why disposable infrastructure reduces the value of IoC-only detections

The campaign used rotating domains and hosted pages on services such as Odoo and Kartra, then went offline quickly. That means static indicators of compromise age out fast and often miss the broader campaign pattern. The attacker does not need long-lived infrastructure if the objective is fast credential capture and account resale. Defenders therefore need behaviour-based detection at the point of access, not just blocklists after the fact. In browser-first attacks, the control problem is temporal as much as technical: the malicious page can disappear before the security team finishes triage.

Practical implication: use behavioural detection and rapid takedown workflows instead of relying on URL blocklists alone.

NHI Mgmt Group analysis

Search-ad malvertising is now an identity control problem, not just a web filter problem. The attack succeeds because users are conditioned to trust search results as a navigation path, even when the result is sponsored. That breaks the assumption that phishing starts in email and forces IAM teams to think about browser entry, not just inbox security. The practitioner conclusion is straightforward: identity governance must extend to the browser edge where users actually authenticate.

Malvertising creates a browser trust gap that conventional MFA does not close. A user can still satisfy MFA on a fake or proxied page while the attacker captures tokens, cookies, or consent artefacts. That means the failure mode is not weak authentication alone, but authentication occurring in the wrong trust context. Organisations should treat browser provenance and page integrity as part of identity assurance, especially for high-value accounts.

Disposable redirect chains are a named concept: credential-capture with short-lived infrastructure. The attack used quickly spun up and taken-down domains, which means the security value of static indicators decays almost immediately. This pattern shifts defender effort from after-the-fact blocking to real-time behavioural visibility at the browser layer. The practitioner conclusion is to prioritise live telemetry over retrospective IoCs.

Account-access theft is becoming a monetisable commodity in campaigns that start with search ads. The article links malvertising to credential resale and to broader criminal ecosystems that depend on initial access. That matters because the victim is not only a user, but a reusable identity asset that can be leveraged elsewhere. Security teams should view browser-delivered account compromise as a source of downstream breach risk, not an isolated phishing event.

From our research:

• 4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Search-ad delivery and OAuth abuse are converging, so teams should also review NHI Lifecycle Management Guide for lifecycle controls that reduce long-lived access exposure.

What this signals

Malvertising shifts identity risk into the browser, where many programmes still have weak visibility. That is why browser telemetry, session inspection, and sponsored-result awareness now belong in the same control conversation as MFA and phishing resistance. Teams that still treat search-driven phishing as an edge case will miss the access path most likely to bypass email-centric controls.

Disposable redirect chains are the operational signal that matters most. When domains are spun up and removed quickly, the defender’s advantage comes from live detection and account-level correlation, not from waiting for reputation feeds to catch up. This is the same reason identity teams should prioritise the NHI Lifecycle Management Guide when access paths are short-lived but account value is persistent.

Browser-delivered attacks increasingly turn identity artefacts into tradable access, so the practical response is to shorten the time between first suspicious click and session containment. The teams that win here are the ones that can see sponsored search, page integrity, and consent behaviour in one control plane.

For practitioners

• Harden browser-based login paths Detect when users reach high-risk login pages through sponsored search results and apply additional verification before credentials or consent are submitted.
• Inspect redirect chains before authentication Track the full click path from search result to final page so disposable redirects and lookalike domains can be blocked at runtime.
• Monitor OAuth consent and session-grant behaviour Alert on unusual consent prompts, proxy-based sign-ins, and browser sessions that request access outside normal login patterns.
• Reduce dependence on static IoCs Use behavioural detections, browser telemetry, and takedown workflows because rapidly changing domains often disappear before blocklists age in.
• Review ad-platform account access Treat Google Ads and similar advertising accounts as high-value identities and limit who can create, approve, or spend from them.

Key takeaways

• Search-ad malvertising turns the browser into the primary phishing surface, which means email controls alone no longer cover the attack path.
• Short-lived redirect domains reduce the value of static blocklists and make real-time behavioural detection the more durable defence.
• Identity teams should treat browser-delivered account access as high-value exposure because one successful click can lead to credential theft, session capture, or OAuth abuse.

Key terms

• Malvertising: Malvertising is the use of paid advertising to deliver malicious content, usually by sending users to phishing pages, malware downloads, or other attacker-controlled infrastructure. In identity security, it matters because the lure arrives through a trusted browsing path and can bypass controls designed primarily for email or direct-message phishing.
• Adversary-in-the-middle phishing: Adversary-in-the-middle phishing places an attacker between the user and the legitimate service so credentials, session cookies, or consent artefacts can be captured in transit. The victim may still complete a normal login flow, which makes the attack especially dangerous for MFA-protected accounts and browser-based identity sessions.
• Browser-based identity attack surface: Browser-based identity attack surface is the set of user interactions in the browser where authentication, consent, session creation, and extension behaviour can be abused. It includes search-result navigation, login pages, OAuth prompts, and session handoff, all of which can become entry points if the page or flow is not verified.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: malvertising delivered through Google Search and browser-based phishing. Read the original.