TikTok for Business AiTM phishing: what IAM teams need to know

TL;DR: Attackers are using TikTok for Business and Google themed AiTM phishing pages to hijack accounts, with one cluster of domains registered within a 9-second window and business logins used to reach ad platforms and SSO-connected apps, according to Push Security. Browser-based credential theft now reaches beyond email into marketing, fraud, and account takeover workflows.

NHIMG editorial — based on content published by Push Security: LLMjacking-style browser abuse is not the subject here; the source article examines TikTok for Business AiTM phishing and malvertising-linked account takeover

Questions worth separating out

Q: How should security teams handle AiTM phishing that targets business accounts?

A: Security teams should treat AiTM phishing as a browser-session compromise problem, not just a password theft problem.

Q: Why do business social and ad accounts create a larger identity risk than they seem to?

A: They often sit outside core IAM while still holding valuable access to budgets, analytics, and connected SaaS apps.

Q: What breaks when phishing infrastructure rotates faster than blocklists can update?

A: Static IOC-led defense loses coverage because the malicious domains, hosting, and page content are disposable.

Practitioner guidance

• Inventory business accounts that inherit SSO trust Map TikTok for Business, Google-linked, and other externally hosted accounts that can be reached through enterprise identity.
• Detect AiTM behaviour at the browser layer Use browser-based controls that can identify reverse proxy patterns, suspicious session establishment, and post-login token theft.
• Harden advertising and campaign accounts as privileged assets Apply stronger review, step-up checks, and ownership validation to ad management accounts because they can be used for fraud, malware delivery, and budget theft once compromised.

What's in the full analysis

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The full attack chain across the TikTok for Business and Google themed phishing pages, including the redirect and form sequence.
• The observed domain list and hosting pattern used to register and rotate the malicious infrastructure.
• The browser-based detection context behind the Monitor only example and how the campaign was blocked.
• The practical indicators to watch for in malvertising-linked account takeover attempts.

👉 Read Push Security's analysis of TikTok for Business AiTM phishing and malvertising abuse →

TikTok for Business AiTM phishing: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →