GTFire Phishing Scheme: Avoiding Detection Using Google Services

GTFire is a global credential-harvesting phishing campaign that weaponizes Google Firebase hosting and Google Translate redirect/proxying to hide malicious pages and evade security controls; Group-IB observed thousands of stolen credentials across 1,000+ organizations in 100+ countries, detailed redirect flows, exfiltration via All-in-1.php (Base64-encoded GET requests), victimology, IOCs (e.g., *.web.app + translate.goog, jnhwzs.fyi, gnpnia.lat), and recommended mitigations such as phishing-resistant MFA and monitoring for brand impersonation.