Cofense has uncovered a highly strategic phishing campaign. This campaign leverages Google Apps Script for its attacks. Google Apps Script is a legitimate development platform. It is used here to host deceptive phishing pages. The attack masquerades as a seemingly urgent invoice email. It expertly exploits users’ inherent trust in Google. This is done to trick recipients into divulging information. Malicious content is embedded within script[.]google[.]com. This creates a strong illusion of authenticity. It effectively bypasses typical user suspicion. This represents an insidious form of social engineering today.
The attack typically begins with a seemingly innocuous email. This email spoofs the domain of a legitimate company. The spoofed company deals in disability and health equipment. The email presents itself as an urgent invoice needing action. Its minimalistic design and ambiguous content are deliberate. These features aim to evoke stress or strong curiosity. This prompts recipients to click the embedded link quickly. They often do so without much hesitation or thought. Short emails like these are also less likely to fail.
They often bypass standard spam filters more easily. They also tend to reveal fewer tell-tale errors.
Upon clicking the link, victims are then redirected. They land on a fake invoice page. This deceptive page is hosted on Google’s own platform. A subtle “Preview” button entices further user interaction. Clicking this button subsequently unveils a fraudulent login window. It is meticulously crafted to mimic a legitimate portal. The use of Google’s domain instills a false sense of security. Attackers exploit the common mindset: “it’s Google, so it must be safe.” This aids them in harvesting email credentials and passwords. Entered credentials are then captured via a PHP script. They are transmitted directly to the attacker. The user is then seamlessly redirected to a genuine Microsoft login page.
This redirection tactic is a clever move by attackers.
It effectively delays detection of the compromise. This potentially allows attackers to infiltrate sensitive systems. Such infiltration can lead to serious data breaches. Financial losses are also a possible outcome. The campaign exemplifies how legitimate platforms are repurposed. They are used for malicious intent by cybercriminals. This blurs the lines between safe and unsafe digital interactions. It highlights the critical need for heightened user vigilance. Even trusted domains can now serve as conduits for cybercrime. Organizations must prioritize robust employee education on these threats. Adopting strong phishing detection solutions is also vital.
Reference:
