A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy’s platform for managing fleets of WordPress websites. The threat actor is using an adversary-in-the-middle (AitM) approach where the fake login page acts as a real-time proxy between the victim and the legitimate ManageWP service. ManageWP is a centralized remote administration platform for WordPress websites, enabling users to manage multiple sites from a single panel instead of logging into separate dashboards. Common users include web developers, web agencies managing client sites, and enterprises. Researchers at Guardio Labs warn that the fake result is displayed above the real one for the 'managewp' query, luring users who rely on Google to find the URL for logging into ManageWP. Users clicking on the malicious result are taken to a login page that looks identical to the real one. However, any credentials typed in are delivered to a Telegram channel controlled by the attacker. Unlike the more common phishing pages that capture username and password pairs, the campaign uses a live AiTM setup, as the attacker uses the credentials to log into the platform in real-time. The victim is then served a fake prompt to enter the two-factor authentication (2FA) code, which the threat actor uses to gain access to the ManageWP account. Guardio Labs head researcher Nati Tal told BleepingComputer that each ManageWP account typically hosts hundreds of sites. According to WordPress.org stats, ManageWP’s plugin, which gives the platform control over registered sites, is active on more than 1 million websites. Guardio Labs was able to infiltrate the attacker’s command-and-control (C2) infrastructure and observed a dropdown command system that enables an interactive and operator-driven phishing flow.