Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google Apps Script a legitimate development platform within Google’s ecosystem to host deceptive phishing pages.

This attack, masquerading as an invoice email, exploits the inherent trust users place in Google’s trusted environment to trick recipients into divulging sensitive information.

A Sophisticated Phishing Campaign

By embedding malicious content within a reputable domain like script[.]google[.]com, threat actors craft an illusion of authenticity that bypasses typical suspicion, making this a particularly insidious form of social engineering.

This campaign underscores the growing sophistication of cybercriminals who are increasingly weaponizing tools from trusted tech giants to execute their schemes.

According to the Cofense Phishing Defense Center Report, The attack begins with a seemingly innocuous email, spoofing the domain of a legitimate company dealing in disability and health equipment, presenting itself as an urgent invoice.

The minimalistic design and ambiguous content of the email are deliberate, aiming to evoke stress or curiosity and prompt recipients to click on the embedded link without hesitation.

How the Attack Unfolds and Exploits Trust

Short emails like these are less likely to trigger spam filters or reveal errors that might otherwise expose the scam.

Upon clicking the link, victims are directed to a fake invoice page hosted on Google’s platform, where a subtle “Preview” button entices further interaction.

Clicking this button unveils a fraudulent login window, meticulously crafted to mimic a legitimate authentication portal.

The use of Google’s domain instills a false sense of security, exploiting the mindset of “it’s Google, so it must be safe,” which attackers rely on to harvest email credentials and passwords.

Once entered, these credentials are captured via a PHP script and transmitted to the attacker, after which the user is seamlessly redirected to a genuine Microsoft login page to avoid suspicion.

This redirection tactic is a clever move to delay detection, potentially allowing attackers to infiltrate sensitive systems, leading to data breaches or financial losses.

The campaign exemplifies how legitimate platforms can be repurposed for malicious intent, blurring the lines between safe and unsafe digital interactions.

It highlights the critical need for heightened vigilance, as even trusted domains can serve as conduits for cybercrime.

Organizations must prioritize employee education on recognizing such threats and adopt robust phishing detection solutions like Cofense’s Managed Phishing Detection and Response (MPDR) to counter these evolving tactics in real-time.

Indicators of Compromise (IOC)