Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Spear Phishing Campaign Takes Aim at Marketers

Adversary-Emulation-1

Northwave SOC investigates hijacked advertising accounts

Published: 10 June 2026

Marketing teams are in the crosshairs of a clever spear phishing campaign. A Northwave SOC investigation has exposed an attack that uses advertisements for fake jobs and AI tools to lure employees into sharing personal data and login information.

Traditionally, financially-motivated spear phishing campaigns have targeted high-level administrators and executives or IT and finance teams who can be exploited for quick access to sensitive company data and systems. But, this latest campaign is an important reminder that anyone in an organisation can be a target. And, generative AI is helping threat actors make these phishing campaigns more convincing than ever.

How marketing teams are being targeted

We believe this attack is being executed by a long-running, financially motivated threat actor that has been evolving its tactics over the past three years. Earlier campaigns sent urgent emails to compel people to verify their accounts within 24 hours, leading victims to cloned versions of Facebook or Google. Another tactic uses fake job vacancies for Fortune 500 companies. Victims have received authenticated-looking emails via abused legitimate business platforms such as Xero and Atlassian. Then, they are directed to convincing brand-specific landing pages that collect personal data.

The most recent campaign we uncovered advertises an AI-automated ad campaign tool to support marketing teams. The site uses a fake login form which enables the threat actor to steal personal information.

Ai-Tools-1
Ai-Tools-2

Ultimately, the threat actor aims to take over advertising accounts, mainly focusing on Facebook and Adsense accounts, or possibly sell the data on the dark web for other threat actors to abuse. A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data that cybercriminals can monetise illicitly, for example, to support stealthy ad fraud, malvertisement campaigns, or extortion schemes.

A victim we supported through our investigation lost money and access to their Google ad campaigns. Google temporarily blocked the organisation’s account due to misuse and it was difficult for the organisation to get campaigns back online. This kind of attack can have far-reaching consequences if the campaign spreads additional malware to other end users. And, if the login details are sold on the dark web, they can be used in additional attacks on the organisation.

Ai-Tools-3

What Defenders Can Look For

This threat actor uses several strategies to avoid detection. One tactic is to abuse sites such as Google Workspace and Facebook, which typically fall outside of traditional security monitoring. The campaign bypasses multifactor authentication (MFA) with pop ups that closely mimic an authentic login page, also known as the Browser-in-the-Middle (BitM) technique. Additionally, the adversary is using proxies to make sure an IP located near the victim’s location is being used for the sign-in so it looks more legitimate. By the time detection alarms are finally triggered, it’s often too late as the threat actor has already received the victim’s login details.

We also observed that the threat actor changes domains repeatedly. Our SOC investigation found the campaign has maintained continuous infrastructure on a single cloud application platform throughout its entire known lifetime, linking close to 100 domains across all observed waves via a single shared API response hash. It reused backend infrastructure and code patterns that exposed the connection between all the attacks, enabling us to track this latest spear phishing campaign.

CRA-Quickscan-1

Main characteristics of the campaign

Here’s a quick overview of techniques Northwave’s SOC has determined are being used in this spear phishing campaign aimed at marketing employees:

  1. Targeting advertising accounts: The campaign is primarily focused on compromising advertising manager accounts. Initial lures involved urgent notifications such as policy violations, breach alerts, marketing infringements, and Meta warnings. The website had a fake Facebook sign-in page when the user interacted with something. Facebook accounts can as well buy advertisements. 

  2. Shift to fake job offers: The adversary later transitioned to fake job opportunities, allegedly sending spear-phishing emails to advertising professionals at companies such as Ferrari, Red Bull, BMW, and Coca-Cola. Still, the website had a fake Facebook sign-in page when the user interacted with something. Notably, Facebook accounts can also buy advertisements.

  3. Expansion to AI-themed lures: While maintaining fake job offer pages, the actor has broadened their approach to include AI-related advertising opportunities, impersonating platforms such as Gemini, OpenAI, and Claude. The adversary shifted to Google Accounts to be able to buy Google advertisements.

  4. Email delivery techniques: In one confirmed case (noting there is only one verified compromise), an email was sent from a domain that–despite being only seven days old–successfully bypassed email filters. We believe the adversary used Resend in combination with Amazon SES, enabling them to evade detection.

  5. Victim profiling via IP services: Services such as IPify and ipapi appear to be used to gather the victim’s location, likely to facilitate proxy-based sign-ins from the same region.

  6. Infrastructure hosting via cloud application platforms: The observed infrastructure suggests the attacker is leveraging cloud application platforms to rapidly deploy, scale, and manage phishing operations. 7. Use of Cloudflare: Cloudflare is used to obscure infrastructure and evade detection by security tools and automated scanning systems.

Old tactics, new jackets

The evolving strategies used in this spear phishing campaign over the past three years show us that this threat actor is learning and adapting as defenders expose the threat. Some of the methods, like using IP services to appear to be in the same location as the victim, are somewhat new. However, other tactics are similar to those used already for quite some time. The threat actor has simply dressed them up in more modern and convincing “jacket” so they’re harder to recognise. The websites are professionalised and the phishing emails are more personalised, likely drawing on information found on the target’s public social media profiles.

Here are some tips to help teams stay sceptical when confronted with possible phishing or malvertisement campaigns:

  • Beware of sites that immediately ask you to enter your personal information before giving you specific information about the product or company.
  • Threat actors know that AI is a novel and attractive tool right now. Watch out for offers that seem too good to be true, especially those that promise full automation without telling you how it algins with GDPR and other security requirements.
  • Similarly, don’t be too quick to apply to a “dream job” from a well-known brand that shows up in your inbox. Take a moment to verify the vacancy is authentic by searching online for the company website and checking the open vacancies there.
  • When searching online for an LLM site, like Claude or ChatGPT, double check the URLs in the search results to make sure you click on the legitimate site and don’t accidentally “login” to a spoof site.
  • If an organisation’s domain is very new, and they are reaching out to you with a promotion or offer, it is highly likely that it is a malicious site. Instead of Googling the site, it’s more reliable to use a tool like VirusTotal to check information about a URL, including when the domain was established and whether other organisations have reported suspicious activity associated with the site.
Old-tactics-new-jackets

Finally, as we mentioned at the beginning of this article, always bear in mind that anyone in an organisation can be a target. It’s important to ensure your entire workforce is aware of the latest phishing techniques and knows what to do when they receive a suspicious message or click on a questionable link. This means going beyond an annual phishing test and implementing ongoing learning programmes that are tailored to specific teams. Moreover, as more cyberattacks are cleverly disguised to evade detection, having a human-led SOC, supported by AI automations is crucial. In the case of our client, the proactive intervention and in-depth investigation by our blue team helped stop the attack before it spread further throughout the organisation.

We are here for you

 

.