- Hackers are hosting fake invoices on Google Apps Script, experts warn
- The invoices are sent via email
- Victims are redirected to a fake Microsoft 365 login page
Threat actors have been seen abusing Google Apps Script to launch convincing phishing attacks and steal people’s Microsoft 365 login details.
Cybersecurity researchers Cofense recently spotted one such campaign where Google Apps Script used to host a fake invoice.
First, the crooks would prepare the usual fake invoice phishing email. That email would carry a link to the invoice which, when hovered (or clicked) would point to script[.]google[.]com. That way, the criminals would create a false sense of legitimacy with the victims who might think the invoice was actually coming from Google or a Google-affiliated service.
M365 credentials
Clicking on the link opens a small landing page stating “you have one pending download available” and a “preview” button. #
The button leads to the actual malicious page, which mimics the Microsoft 365 login page, almost to the last detail. Those who don’t spot the trick and try to log in, end up relaying their login credentials straight to the attackers.
To better hide their tracks, the crooks set up the page so that it redirects back to the actual Microsoft 365 site, as soon as the login credentials are provided.
Google Apps Script is a cloud-based scripting platform that lets users automate tasks and extend Google Workspace apps like Gmail, Docs, Sheets, and Drive using JavaScript.
For example, a teacher could have a Google Sheets file with student grades, and by using Google Apps Script, they would be able to send personalized emails automatically, saving hours of manual work.
“Phishing emails like these are a good example of how attackers take advantage of legitimate domains to make their scams look more convincing,” Cofense’s researchers warned. “It is important to stay vigilant and educate employees about the risk of phishing attacks.”
Leave a comment