A Tale of the Most Sophisticated Spear Phishing Attack I’ve Ever Seen

/ 23 hours ago January 16, 2025

Last Thursday, I opened a support ticket labeled with the all-too-familiar subject line:
“HELP!! User’s account has been hacked!!! URGENT!”

My first thought was, “This is probably just another case of a browser pop-up saying something like, ‘You’ve been hacked!’ or ‘Your computer has 52 viruses! Call Microsoft Support at 555-5555.’”

If you work in IT, you know the drill. Nine out of ten times, you dismiss these incidents with a simple, “Close the window and move on.” I was ready to do just that. (Foreshadowing, anyone?)

I contacted the user via Teams and asked them to share their screen. What I saw wasn’t a typical scareware pop-up—it was the Google Ads dashboard.

For those unfamiliar, Google Ads is a platform where users can create and manage ad campaigns that appear at the top of search results when specific keywords are searched (e.g., “Show my bike shop’s ad whenever someone searches for ‘bikes.’”). Our company relies heavily on Google Ads to manage hundreds of thousands of dollars in ad spend for our clients.

The user showed me that one of the campaigns had its daily spending limit set to $10,000, with $380 already charged to the account. Alarm bells went off. We immediately paused the campaign to prevent further charges and began investigating.

This was no fake virus pop-up. Someone had compromised the account.

The Investigation Begins

We quickly discovered that a specific user’s account had made the changes, increasing spending limits and creating new campaigns. We suspended the account, revoked all active sessions, and began auditing their activity logs.

Here’s where things got puzzling: all user accounts in our environment are protected with multi-factor authentication (MFA), and the affected user had MFA enabled for nearly five years.

How did someone bypass MFA?

Tracing the Logs

The user’s typical login location was Ontario, but the logs showed suspicious activity originating from Brazil during our company’s holiday break. When I asked the user if they had traveled to Brazil over Christmas, they laughed and said, “No.”

Digging deeper, I found that the unauthorized logins successfully used both the correct password and SMS-based MFA.

“How is this even possible?” I asked again.

Google Workspace support confirmed that the logs showed an SMS MFA challenge had been sent—and approved. When I asked the user about it, they looked at their SMS app and saw that there was infract a SMS that came in at this time but insisted they hadn’t shared it with anyone. They’d undergone security training and knew never to disclose MFA codes, even to IT.

Still, somehow, the attacker had obtained and used the code.

A Deeper Look

Then, I noticed something troubling in the account settings: the attacker had added a passkey to the account and linked it to an iCloud Keychain. This meant they had a permanent, device-independent backdoor to the account—so long as they had access to that iCloud account.

Then the realization hit hard: the attackers had been in the account for over eight days!

Finding the Fraudulent Campaigns

In the admin logs, I identified three new ad campaigns created by the attackers. While we quickly found one, the remaining two were harder to track because the logs didn’t specify which Google Ads accounts were involved.

To complicate matters, someone on the user’s team had overzealously removed their access to all their managed ad accounts—making it impossible to trace their previous activity.

Using a break-glass account, I reset its password and got ready to log into a few accounts to look.

The Phishing Trap Revealed

During this process, I encountered a key turning point. I had no idea what the URL was for Google Ads so I Googled “Google Adwords,” clicked the first sponsored link, and landed on what appeared to be the official Google Ads login page. Just as I was about to type in my credentials, the user shouted, “Wait, stop! Look at the URL.”

Sure enough, I wasn’t on Google Ads.

The URL read sites.google.com/...—a Google Site, but not the actual Google Ads platform. It was an impeccable replica, complete with SSL encryption and perfect design, hosted on Google’s own infrastructure.

It hit me like a ton of bricks:

  1. The attackers had created a fake Google Ads login page using Google Sites.
  2. They ran a malicious ad campaign targeting users searching for “Google Ads.”
  3. The vanity URL in the ad displayed ads.google.com, but the link redirected to their fake site.

How the Attack Worked

Here’s the chilling breakdown of their spear-phishing attack:

  1. Malicious Ad Setup
    • The attackers gained access to a legitimate Google Ads account, used it to create fraudulent ads, and targeted users searching for “Google Ads.”
  2. Fake Login Page
    • Their Google Site mimicked the Google Ads login page perfectly, even mirroring dark mode settings.
  3. Man-in-the-Middle (MitM) Login
    • When a victim entered their username and password, the attackers relayed it to the real Google login server.
    • The real server responded with a 2FA challenge, which the attackers forwarded to the victim.
    • When the victim entered the 2FA code, the attackers sent it to Google, gaining full access.
  4. Establishing Persistence
    • Once inside, they added a passkey to the account, stored in an iCloud Keychain, giving them continuous access.
  5. Exploiting the Compromise
    • They increased ad spend limits, created fraudulent campaigns, and launched more malicious ads targeting new victims for Google Ads
    • They Launched new campaigns targeting other sites like paying for parking tickets to steal credit card information

Aftermath and Lessons Learned

Over eight days, the attackers racked up over $13,000 in charges across three campaigns. Google Ads support has been an absolute nightmare, with repetitive requests for information and a lack of urgency. Seven days later, we’re still fighting for a resolution.

This attack was the most sophisticated phishing scheme I’ve ever encountered. The attackers weaponized Google’s own tools—Google Ads and Google Sites—to create an air of legitimacy that would fool even seasoned IT professionals.

Key Takeaways:

  • SMS-based 2FA is vulnerable. Consider transitioning to phishing-resistant MFA options like FIDO2 keys.
  • Monitor ad spend closely. A daily audit could help catch fraudulent activity sooner.
  • Educate users. Highlight the risks of phishing, even from URLs that appear legitimate.

This experience was frustrating, infuriating, and, in a strange way, impressive. It was a stark reminder of how clever and determined attackers can be—and why we must remain vigilant.

Photos of the fraudulent ad and site and login page

Photos of the real thing

©Steve Main 2025