TL;DR

  • Attackers are running a targeted phishing campaign against TikTok for Business accounts using adversary-in-the-middle (AitM) reverse proxy kits that steal live session cookies -- bypassing MFA entirely.
  • The attack arrives as a convincing email impersonating either TikTok for Business or Google Careers, with a CAPTCHA gate designed to block automated security scanners from seeing the fake login page.
  • Compromised accounts are used immediately for malvertising: fraudulent ads that distribute credential-stealing malware to your audience -- one video in this campaign reached approximately 500,000 views.
  • Protecting your account requires hardware security keys or passkeys, dedicated login email addresses, and a response plan for account takeover -- all of which are straightforward to implement.

Why TikTok for Business Accounts Are High-Value Targets Right Now

TikTok is no longer just a platform for consumer entertainment. With 1.99 billion monthly active users and projected ad revenue of $34.8 billion in 2026, TikTok for Business has become a core marketing channel for companies of every size [4]. Engagement rates average 3.73 percent -- significantly higher than competing platforms -- making TikTok ad inventory genuinely valuable.​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌

‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

That value has attracted a different kind of attention.

On March 26, 2026, Push Security researcher Dan Green published findings documenting an active phishing campaign explicitly targeting TikTok for Business accounts [1]. The campaign was subsequently reported by The Hacker News on March 27, 2026 [2]. This is not a generic credential-stuffing attack. It is a precision operation using phishing infrastructure built to defeat the security controls most businesses rely on, including multi-factor authentication.​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

If your team runs TikTok ads, this campaign is aimed at you.

How Does AitM Phishing Steal Your TikTok Account?

Understanding the attack chain is the first step toward stopping it. This campaign uses a technique called adversary-in-the-middle (AitM) phishing, which is meaningfully different from traditional phishing.

In a traditional phishing attack, a fake login page harvests your username and password. MFA stops that attack because the attacker only has your credentials, not the second factor.

In an AitM attack, the phishing page is a live reverse proxy sitting between you and the real TikTok login server. When you type your credentials and complete your MFA challenge on what looks like the TikTok login page, the reverse proxy passes your inputs to the real server in real time and receives back your authenticated session cookie. The attacker captures that cookie. At that point, your password and your MFA code are irrelevant -- the attacker holds a valid, authenticated session token and can access your account directly.

The specific attack chain documented by Push Security proceeds as follows:

  1. A phishing email arrives impersonating TikTok for Business (warning of a policy violation, for example) or impersonating Google Careers with a fake job opportunity.
  2. The victim clicks the link and encounters a Cloudflare Turnstile CAPTCHA. This is not for user convenience -- it is a deliberate mechanism to block automated security scanners and URL analysis tools from loading and inspecting the phishing page.
  3. After passing the CAPTCHA, the victim sees a convincing TikTok login page that is actually a reverse proxy forwarding traffic to TikTok's real infrastructure.
  4. The victim authenticates. The session cookie is stolen in real time.
  5. The attacker logs in using the stolen session cookie. If the victim used Google SSO to log in to TikTok, the attacker may also obtain access to the associated Google account.

The infrastructure behind this campaign is deliberate and fast. Ten phishing domains following a careersXXX.com naming pattern were registered on March 24, 2026, all within a nine-second window, through Nicenic International Group -- a registrar with a documented history in bulk phishing infrastructure registration [1]. All domains were hosted behind Cloudflare. The same underlying infrastructure was flagged by Sublime Security in October 2025 [5], indicating an active and evolving operation.

What Happens After Your Account Is Taken Over?

Account takeover is not the final goal -- it is the starting point. Compromised TikTok for Business accounts give attackers access to established ad audiences, payment methods, and platform credibility.

In this campaign, stolen accounts were used to run malvertising: fraudulent ads and organic content distributing infostealer malware including Vidar, StealC, and Aura Stealer [1][2]. One piece of malicious content in this campaign reached approximately 500,000 views and accumulated more than 20,000 likes before being removed.

The consequences for the legitimate account holder are compounded. Your business faces potential suspension by TikTok for policy violations you did not commit. Your customers and followers may be exposed to malware served under your brand identity. Your ad budget may be spent on fraudulent campaigns. And your Google account may be compromised simultaneously if you used SSO.

The Verizon 2025 Data Breach Investigations Report found that approximately 88 percent of breaches following the Basic Web Application Attack pattern involved stolen credentials [3]. AitM phishing is the mechanism that keeps credential theft effective even as MFA adoption increases.

Which Businesses Are Most at Risk?

Any organization using TikTok for Business to manage paid advertising is a potential target. The campaign uses two distinct lures, which means the attack surface extends beyond TikTok users directly:

  • Teams that actively manage TikTok advertising are targeted via TikTok policy impersonation emails.
  • Marketing and recruitment staff are targeted via fake Google Careers job opportunity emails, which have been in active use by the same infrastructure since at least October 2025 [5].

Businesses that log in to TikTok using Google SSO face compounded risk: a single successful phishing interaction can result in the compromise of both accounts simultaneously.

How Do You Protect Your TikTok for Business Account From This Attack?

The following measures directly address the techniques used in this campaign.

Use a hardware security key or passkey for your TikTok account. Standard TOTP-based MFA (authenticator app codes) does not prevent AitM session cookie theft, because the reverse proxy completes the MFA challenge in real time. Hardware security keys and passkeys use cryptographic binding to the legitimate domain, which means they will not authenticate against a reverse proxy even if the visual appearance of the page is identical to the real site. This is the single most effective technical control available.

Create a dedicated email address for TikTok for Business login. Using a shared or widely-known company email address as your login credential increases the attack surface. A dedicated address that is not published anywhere reduces the likelihood that you receive targeted phishing to that inbox.

Avoid using Google SSO for TikTok for Business. If a phishing attack succeeds, SSO login means both accounts are exposed simultaneously. A separate, dedicated login credential limits the blast radius.

Train the team to verify login URLs before entering credentials. Reverse proxy phishing pages use lookalike domains. The URL bar is the one place where the deception is visible. Verify that login URLs resolve to business.tiktok.com before entering any credentials.

Establish a response protocol before you need it. Know in advance how to revoke all active sessions in TikTok for Business, who to contact at TikTok Business Support, and what your internal escalation path is if an account takeover is suspected. A response plan executed in the first hour limits damage significantly more than one executed the following morning.

Apply CISA phishing guidance as a baseline. CISA's October 2023 phishing guidance [7] recommends phishing-resistant MFA as the primary defense and provides a structured framework for reducing organizational exposure to credential-based attacks.

Yes. Security researchers at WatchGuard documented a separate but concurrent phishing campaign on March 25, 2026, delivering malware linked to the BianLian ransomware group via SVG file attachments disguised as invoice documents [6]. The delivery mechanism differs, but the underlying pattern is consistent: attackers are using technical evasion to bypass automated scanning tools, then relying on convincing lures to reach human targets.

The convergence of these campaigns in the same week reflects a broader trend documented in Push Security's State of Identity Attack Surface report [8]: identity-based attacks are increasing in sophistication, and the perimeter that MFA was designed to protect is under sustained pressure from session hijacking techniques.

What Should You Do This Week?

Your TikTok for Business account represents real business value: your audience, your ad spend, your brand credibility, and potentially your payment credentials. The steps above are not complicated to implement, and most cost nothing. The cost of not implementing them -- in ad fraud, brand damage, malware distribution to your followers, and account recovery time -- is substantially higher.

If you want help assessing your current exposure or implementing phishing-resistant authentication for your marketing team's accounts, that conversation is worth having now rather than after an incident.

Get a security consultation for your business.

FAQ

Does MFA protect my TikTok for Business account from this attack? Standard MFA using authenticator app codes (TOTP) does not protect against AitM phishing. The reverse proxy completes the MFA challenge in real time as you perform it, and the attacker receives the authenticated session cookie after you have successfully passed all authentication steps. Hardware security keys and passkeys are the effective countermeasure because they cryptographically verify the legitimate domain and will not authenticate against a proxy.

How do I know if my TikTok account has already been compromised? Check your active sessions under TikTok for Business account settings. Look for sessions from unfamiliar locations, devices, or IP addresses. Unusual ad activity -- campaigns you did not create, budget being spent on unfamiliar content -- is also a strong indicator. If you suspect compromise, revoke all sessions immediately and change your login credentials before reviewing the scope of any changes made.

What is a reverse proxy phishing kit and why is it harder to detect? A reverse proxy phishing kit sits between you and the legitimate website, forwarding your requests and responses in real time while copying your session credentials as they pass through. Because it communicates with the real site, much of the page content it serves is genuinely from TikTok, making visual detection difficult. Automated security tools that scan URLs for known phishing content are also blocked by the Cloudflare Turnstile CAPTCHA that precedes the phishing page.

If I use Google SSO to log in to TikTok, what is the additional risk? If you authenticate to the phishing page using Google SSO, the reverse proxy may capture the Google session token in addition to the TikTok session token. This gives the attacker access to both accounts simultaneously from a single phishing interaction. Using a separate, dedicated login credential for TikTok for Business eliminates this compounded exposure.

Are small businesses actually targeted, or is this primarily an enterprise threat? This campaign targets any business running TikTok advertising, regardless of size. The lure emails impersonating TikTok for Business policy violations are relevant to any company with an active ad account. Smaller accounts may in some cases be lower priority for sophisticated threat actors, but the infrastructure deployed here suggests an automated, broad-targeting approach rather than selective enterprise targeting.

References

[1] D. Green, "Attackers are now targeting business TikTok accounts using session-stealing phishing kits," Push Security, Mar. 26, 2026. [Online]. Available: https://pushsecurity.com/blog/tiktok-phishing

[2] R. Lakshmanan, "AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion," The Hacker News, Mar. 27, 2026. [Online]. Available: https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html

[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[4] Sprout Social, "TikTok Statistics That Matter to Marketers in 2026," Sprout Social, 2026. [Online]. Available: https://sproutsocial.com/insights/tiktok-stats/

[5] Sublime Security, "Google Careers Impersonation Credential Phishing Scam with Endless Variation," Sublime Security, Oct. 2025. [Online]. Available: https://sublime.security/blog/google-careers-impersonation-credential-phishing-scam-with-endless-variation/

[6] E. Neto, "New BianLian Ransomware Activity Detected: SVG Phishing Campaign," WatchGuard, Mar. 25, 2026. [Online]. Available: https://www.watchguard.com/wgrd-security-hub/secplicity-blog/new-bianlian-ransomware-activity-detected-svg-phishing-campaign

[7] CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," CISA, Oct. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/phishing-guidance-stopping-attack-cycle-phase-one

[8] Push Security, "The State of Identity Attack Surface," Push Security, 2025. [Online]. Available: https://pushsecurity.com/blog/state-of-identity-attack-surface

[9] ACSC, "Business Email Compromise," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/threats/types-cyber-threats/business-email-compromise

[10] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

TL;DR

  • Attackers are sending fake emails to businesses that advertise on TikTok, tricking people into logging in to a fake website that copies their account access in real time.
  • This attack works even if you have two-factor authentication turned on -- it copies the proof that you already logged in, not your password.
  • One stolen account was used to show harmful ads to about 500,000 people before it was caught.
  • You can protect your account with a physical security key, a separate email address just for TikTok, and by not using Google to sign in to TikTok.

What Is Happening to TikTok Business Accounts Right Now?

Imagine you have a key to your house. A normal thief would try to steal the key itself. But a smarter thief stands next to you while you unlock the door, quickly makes a copy of your key as you use it, and then walks away. You had the key the whole time. You never lost it. But they have a working copy now and can come back whenever they want.

That is exactly what is happening to TikTok for Business accounts right now.

Businesses use TikTok for Business to run ads and reach customers. It is a valuable account -- it is connected to a real audience, a real budget, and a real brand. Attackers know this. Starting in late March 2026, security researchers found a campaign specifically designed to steal these accounts [1][2].

The attack starts with an email. It looks like it came from TikTok, warning you about a problem with your account, or it looks like a job offer from Google. You click the link. A short puzzle appears, like a CAPTCHA that asks you to check a box. That puzzle is not there for you -- it is there to stop computer security programs from looking at the page. Once you pass it, a very convincing TikTok login page appears.

You type your username, password, and even your two-factor authentication code. Everything looks normal. But the page is a fake -- a live copy that sends your information straight to the real TikTok while also copying the proof that you just logged in. That proof is called a session cookie. It works like a wristband at an event: once you have it, no one needs to check your ID again.

The attacker now has your wristband. They walk straight into your account.

Why Does This Work Even With Two-Factor Authentication Turned On?

Two-factor authentication (like a code sent to your phone) normally stops most phishing attacks. If someone steals your password but not your phone, they are locked out.

This attack is different because it does not use your password to log in later. It copies the result of your successful login -- the session cookie -- while you are logging in. By the time you see the normal TikTok dashboard, the attacker already has what they need. Your extra security step protected nothing because both steps happened through the fake page before the cookie was copied [1][7].

The only thing that can stop this is a physical security key or passkey. Those are designed to check that the website you are on is the real one before they work. A fake copy of TikTok's login page fails that check, even if it looks identical.

What Do Attackers Do With a Stolen TikTok Account?

They use your trusted account and your existing audience to spread harmful ads and videos. One video in this campaign reached about 500,000 views before it was taken down [1]. Those viewers were shown content pushing malware -- software that steals passwords and financial information from their devices.

Your business account becomes a tool against the people you were trying to reach. Your brand is attached to that damage. And you may also lose access to your Google account at the same time, if you used Google to log in to TikTok [2].

What Can You Do Right Now?

  • Get a physical security key (like a YubiKey) or set up a passkey for your TikTok for Business account. This is the most effective protection against this specific type of attack.
  • Use a separate email address just for your TikTok login -- one that is not published anywhere.
  • Stop using Google to sign in to TikTok for Business. If one account is attacked, you do not want both to fall at once.
  • Before typing your password anywhere, check that the address bar shows business.tiktok.com and nothing else.
  • Know who on your team to call if something looks wrong, and know how to log out all devices from TikTok's account settings.

If you want help setting these protections up for your team, this is the kind of thing worth getting right before an incident happens.

Talk to a security advisor for your business.

FAQ

Can this happen to a small business, or only big companies? This campaign targets any business with an active TikTok advertising account, regardless of size. The fake emails are sent broadly and the attack is largely automated. A small account is a smaller prize, but it is still a usable tool for pushing malware to your audience and spending your ad budget on fraudulent content.

If I already have two-factor authentication, am I protected? Standard two-factor authentication -- such as a six-digit code from an app or a text message -- does not protect against this specific attack. The fake login page passes your code to the real site in real time and captures the result. A hardware security key or passkey is needed because those verify the actual website address before they work, and a fake page cannot pass that check.

How would I know if my account has already been taken over? Log in to TikTok for Business and check your account settings for active sessions. Look for logins from locations or devices you do not recognize. Also review your active ad campaigns for anything you did not create, and check whether your ad budget has been spent on unfamiliar content. If anything looks wrong, immediately revoke all sessions and update your login credentials.

Is this the only phishing campaign targeting businesses right now? No. A separate campaign discovered the same week uses fake invoice files in SVG format to deliver malware linked to a ransomware group called BianLian [6]. Multiple phishing operations are active at the same time. The defenses for all of them overlap: verify URLs before logging in, use strong authentication methods, and treat unexpected emails with links or attachments as suspicious until confirmed otherwise.

References

[1] D. Green, "Attackers are now targeting business TikTok accounts using session-stealing phishing kits," Push Security, Mar. 26, 2026. [Online]. Available: https://pushsecurity.com/blog/tiktok-phishing

[2] R. Lakshmanan, "AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion," The Hacker News, Mar. 27, 2026. [Online]. Available: https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html

[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[4] Sprout Social, "TikTok Statistics That Matter to Marketers in 2026," Sprout Social, 2026. [Online]. Available: https://sproutsocial.com/insights/tiktok-stats/

[5] Sublime Security, "Google Careers Impersonation Credential Phishing Scam with Endless Variation," Sublime Security, Oct. 2025. [Online]. Available: https://sublime.security/blog/google-careers-impersonation-credential-phishing-scam-with-endless-variation/

[6] E. Neto, "New BianLian Ransomware Activity Detected: SVG Phishing Campaign," WatchGuard, Mar. 25, 2026. [Online]. Available: https://www.watchguard.com/wgrd-security-hub/secplicity-blog/new-bianlian-ransomware-activity-detected-svg-phishing-campaign

[7] CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," CISA, Oct. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/phishing-guidance-stopping-attack-cycle-phase-one

[8] Push Security, "The State of Identity Attack Surface," Push Security, 2025. [Online]. Available: https://pushsecurity.com/blog/state-of-identity-attack-surface

[9] ACSC, "Business Email Compromise," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/threats/types-cyber-threats/business-email-compromise

[10] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation