A phishing campaign is targeting Google Workspace and Facebook business accounts by impersonating well-known brands like Unilever, Disney, MasterCard, LVMH, and Uber. Discovered by Push Security, the campaign uses legitimate-looking Calendly invitations to lure victims. Unlike typical phishing attempts, these emails are highly sophisticated and crafted to exploit trust, making them more effective. Once a victim clicks on the link, they encounter a fake Calendly page that leads them to an AiTM phishing page designed to capture Google Workspace login sessions. Push Security identified 31 unique URLs linked to this campaign, with variations targeting Facebook Business credentials as well. One method used is Browser-in-the-Browser (BitB) attacks, which create the illusion of legitimate pop-up windows for credential theft. The phishing pages also employ anti-analysis techniques to hinder detection, such as blocking VPN traffic and preventing access to developer tools. In a related effort, another malvertising campaign directs users searching for "Google Ads" to a phishing page that mimics Google's login screen. This trend of targeting ad manager accounts remains profitable for cybercriminals. The AiTM techniques enable attackers to bypass two-factor authentication, making it crucial for account owners to adopt stronger security measures. Using hardware security keys, verifying URLs before entering credentials, and carefully examining login pop-ups are recommended steps to mitigate these risks.