Notifications
Clear all
Topic starter
11/06/2026 10:57 pm
TL;DR: A malvertising campaign used Google Search ads to steer victims to phishing pages, bypassing email-based controls and targeting account access rather than inboxes, according to Push Security. The pattern shows that browser-mediated identity attacks now require continuous detection at the point of interaction, not just perimeter filtering.
NHIMG editorial — based on content published by Push Security: malvertising delivered through Google Search and browser-based phishing
By the numbers:
Questions worth separating out
A: Security teams should inspect browser journeys before authentication, not just email or network traffic after delivery.
Q: Why does malvertising create a different phishing problem than email-based attacks?
A: Malvertising shifts the trust boundary from inbox controls to the browser and search engine results page.
Q: What do security teams get wrong about malicious ads and credential theft?
A: Teams often focus on takedown after the fact instead of runtime detection while the page is live.
Practitioner guidance
- Harden browser-based login paths Detect when users reach high-risk login pages through sponsored search results and apply additional verification before credentials or consent are submitted.
- Inspect redirect chains before authentication Track the full click path from search result to final page so disposable redirects and lookalike domains can be blocked at runtime.
- Monitor OAuth consent and session-grant behaviour Alert on unusual consent prompts, proxy-based sign-ins, and browser sessions that request access outside normal login patterns.
What's in the full article
Push Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact redirect chain and indicator set used to block the malicious Google Search ad campaign.
- The replicated phishing infrastructure hosted on Odoo and Kartra, including how the pages were staged and taken down.
- The browser-based detection logic Push used to intercept credential entry, malicious OAuth grants, and session hijacking attempts.
- The campaign indicators of compromise and the limitations of relying on them after domains are rapidly rotated.
👉 Read Push Security's analysis of Google Search malvertising and phishing delivery →
Google Search malvertising: what IAM teams need to harden?
Explore further
12/06/2026 7:25 am
Search-ad malvertising is now an identity control problem, not just a web filter problem. The attack succeeds because users are conditioned to trust search results as a navigation path, even when the result is sponsored. That breaks the assumption that phishing starts in email and forces IAM teams to think about browser entry, not just inbox security. The practitioner conclusion is straightforward: identity governance must extend to the browser edge where users actually authenticate.
A few things that frame the scale:
- 4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when browser-based phishing leads to account takeover?
A: Accountability usually spans identity security, endpoint protection, and the business owners of high-value accounts such as advertising platforms. The practical answer is to define who owns browser-based authentication risk, who monitors suspicious redirects, and who can revoke access or sessions immediately.
👉 Read our full editorial: Malvertising through Google Search exposes browser-based identity risk
