Security researchers are raising alarm over an escalating trend of phishing attacks that exploit Google Accelerated Mobile Pages (AMP) to bypass email security measures and target enterprise employees’ inboxes. Google AMP is an open-source HTML framework jointly developed by Google and 30 partners to enhance mobile web content loading speed. By hosting AMP pages on Google’s servers, certain media elements are pre-loaded, streamlining delivery.
This technique aims to deceive email protection systems by utilizing Google’s reputable domain and triggering redirection to malicious phishing sites, adding an analysis-disrupting layer. Cofense, an anti-phishing protection company, reports a significant surge in phishing attacks utilizing AMP URLs, particularly peaking around mid-July, indicating the method’s adoption by threat actors.
Notably, around 77% of observed Google AMP URLs were hosted on google.com, while 23% were hosted on google.co.uk, and the “google.com/amp/s/” path was common in all cases. Although blocking this path could affect legitimate use cases of Google AMP, flagging suspicious URLs seems an appropriate measure to warn recipients about potential malicious redirections.
Phishing actors abusing the Google AMP service employ additional techniques to evade detection and boost their success rate. For instance, they use image-based HTML emails instead of traditional text bodies to confound text scanners searching for typical phishing terms in content.
Additionally, they implement an extra redirection step by exploiting a Microsoft.com URL to redirect victims to a Google AMP domain before reaching the actual phishing site. Furthermore, attackers utilize Cloudflare’s CAPTCHA service to thwart automated analysis by security bots, preventing their phishing pages from being accessed and analyzed. The escalating sophistication of phishing attacks utilizing Google AMP underscores the need for heightened awareness and vigilance among enterprise employees and individuals alike.
As attackers find new ways to bypass security measures, organizations must stay informed about evolving threats and invest in robust email security solutions to safeguard sensitive information and protect against potential breaches.
