Notifications
Clear all
Topic starter
11/06/2026 10:58 pm
TL;DR: A long-running phishing campaign used Calendly-themed lures, AiTM tooling, browser-in-the-browser pop-ups, and targeted anti-analysis checks to steal Google Workspace and Facebook Business access, according to Push Security. The pattern shows how identity front doors, not just inbox filters, now determine whether business ad management accounts can be taken over and reused.
NHIMG editorial — based on content published by Push Security: LLMjacking: How Attackers Hijack AI Using Compromised NHIs
By the numbers:
- We identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands.
Questions worth separating out
Q: How should security teams defend against AiTM phishing against enterprise IdPs?
A: Security teams should assume the attacker may capture a valid session after the login succeeds, not just the password.
Q: Why do business ad accounts attract identity attackers?
A: Business ad accounts are attractive because they combine spend authority, brand trust, and access to platforms that can be monetised or abused quickly.
Q: What breaks when SSO trust is too permissive across identity providers?
A: Overly permissive cross-IdP trust can let an attacker use one compromised identity to reach applications that were assumed to be protected by a different provider.
Practitioner guidance
- Tighten IdP session protections Require phishing-resistant authentication and strengthen session binding so a stolen browser session is harder to replay after login.
- Review cross-IdP trust paths Map every environment where users can authenticate through more than one identity provider and validate the SSO trust rules that connect them.
- Segment business ad management access Treat ad management accounts as privileged business identities and apply stronger monitoring, conditional access, and step-up controls around manager accounts and account-addition events.
What's in the full article
Push Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Side-by-side screenshots and page flow details for the Calendly-themed AiTM variants.
- The campaign’s anti-analysis checks and domain-targeting logic that blocked inspection.
- Examples of the fake recruiter personas and brand impersonations used across different pages.
- Push Security’s reasoning on why business ad-management accounts are being prioritised by attackers.
Google Workspace AiTM phishing and the ad account governance gap?
Explore further
12/06/2026 7:25 am
Identity front doors have become the real control plane for business ad risk. When attackers compromise the primary enterprise IdP, they are not just stealing a mailbox or a single app login. They are gaining a reusable entry point into downstream apps, ad managers, and other business systems that trust the same identity fabric. The implication is that identity governance for marketing and ad operations can no longer sit outside core IAM decision-making.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: What should teams do when phishing uses staged lures and fake scheduling pages?
A: Teams should review the full interaction sequence, not only the first email. Staged lures often delay the malicious link until trust is established, then use familiar services like calendaring tools to lower suspicion. Detection and user training should reflect that multi-step behaviour, because a single-message filter will miss the pattern.
👉 Read our full editorial: AiTM phishing against Google Workspace exposes ad account risk
