Google Applications Script Exploited in Advanced Phishing Campaigns

Google Applications Script Exploited in Advanced Phishing Campaigns

Blog Article

A new phishing marketing campaign has been observed leveraging Google Applications Script to provide misleading articles made to extract Microsoft 365 login credentials from unsuspecting users. This method utilizes a trustworthy Google platform to lend reliability to malicious links, thereby escalating the probability of consumer conversation and credential theft.

Google Apps Script is usually a cloud-primarily based scripting language made by Google that allows customers to extend and automate the functions of Google Workspace applications like Gmail, Sheets, Docs, and Drive. Built on JavaScript, this tool is usually employed for automating repetitive jobs, producing workflow answers, and integrating with external APIs.

During this precise phishing operation, attackers create a fraudulent Bill doc, hosted by Google Apps Script. The phishing system generally begins which has a spoofed e-mail showing to inform the recipient of a pending Bill. These emails consist of a hyperlink, ostensibly leading to the invoice, which uses the “script.google.com” domain. This domain is really an Formal Google area utilized for Apps Script, which may deceive recipients into believing that the url is safe and from the trusted resource.

The embedded hyperlink directs people to a landing site, which can include a information stating that a file is available for download, along with a button labeled “Preview.” On clicking this button, the consumer is redirected to your forged Microsoft 365 login interface. This spoofed webpage is intended to closely replicate the reputable Microsoft 365 login screen, which includes layout, branding, and person interface things.

Victims who will not realize the forgery and commence to enter their login qualifications inadvertently transmit that information and facts on to the attackers. Once the credentials are captured, the phishing webpage redirects the person on the reputable Microsoft 365 login web page, generating the illusion that very little strange has occurred and minimizing the prospect which the person will suspect foul Perform.

This redirection technique serves two major purposes. 1st, it completes the illusion the login endeavor was routine, lowering the probability that the victim will report the incident or modify their password immediately. Second, it hides the malicious intent of the earlier conversation, which makes it harder for security analysts to trace the event with out in-depth investigation.

The abuse of trusted domains like “script.google.com” offers a big problem for detection and avoidance mechanisms. E-mails containing hyperlinks to trustworthy domains usually bypass basic e mail filters, and end users tend to be more inclined to belief back links that look to originate from platforms like Google. This kind of phishing marketing campaign demonstrates how attackers can manipulate nicely-recognised companies to bypass standard protection safeguards.

The technological foundation of this attack relies on Google Apps Script’s World-wide-web application abilities, which permit builders to make and publish World-wide-web applications accessible through the script.google.com URL composition. These scripts may be configured to serve HTML articles, tackle form submissions, or redirect customers to other URLs, generating them well suited for destructive exploitation when misused.