Google Apps Script Exploited in Advanced Phishing Campaigns

Google Apps Script Exploited in Advanced Phishing Campaigns

Blog Article

A completely new phishing marketing campaign has become noticed leveraging Google Applications Script to deliver deceptive content meant to extract Microsoft 365 login credentials from unsuspecting users. This process makes use of a trusted Google System to lend trustworthiness to malicious back links, therefore growing the probability of user interaction and credential theft.

Google Apps Script is a cloud-centered scripting language produced by Google that permits end users to extend and automate the capabilities of Google Workspace programs such as Gmail, Sheets, Docs, and Travel. Constructed on JavaScript, this tool is usually employed for automating repetitive duties, generating workflow remedies, and integrating with exterior APIs.

In this specific phishing operation, attackers develop a fraudulent Bill document, hosted by way of Google Apps Script. The phishing course of action commonly starts which has a spoofed electronic mail showing up to notify the recipient of a pending invoice. These e-mail contain a hyperlink, ostensibly resulting in the invoice, which utilizes the “script.google.com” domain. This domain is undoubtedly an Formal Google domain useful for Applications Script, which could deceive recipients into believing which the hyperlink is Protected and from the reliable resource.

The embedded url directs users to some landing web page, which may involve a information stating that a file is readily available for down load, along with a button labeled “Preview.” On clicking this button, the consumer is redirected to the forged Microsoft 365 login interface. This spoofed web page is created to carefully replicate the legit Microsoft 365 login screen, including structure, branding, and consumer interface factors.

Victims who tend not to figure out the forgery and carry on to enter their login qualifications inadvertently transmit that information and facts on to the attackers. After the qualifications are captured, the phishing web page redirects the user towards the respectable Microsoft 365 login website, creating the illusion that nothing abnormal has occurred and lowering the prospect which the consumer will suspect foul play.

This redirection procedure serves two principal needs. 1st, it completes the illusion that the login attempt was program, minimizing the likelihood which the victim will report the incident or adjust their password immediately. Next, it hides the destructive intent of the earlier conversation, making it more durable for safety analysts to trace the party without in-depth investigation.

The abuse of dependable domains which include “script.google.com” presents a significant challenge for detection and avoidance mechanisms. Emails containing inbound links to respected domains usually bypass simple electronic mail filters, and consumers are more inclined to believe in one-way links that seem to come from platforms like Google. This kind of phishing campaign demonstrates how attackers can manipulate properly-identified companies to bypass typical safety safeguards.

The specialized Basis of this attack depends on Google Applications Script’s World wide web app abilities, which permit developers to produce and publish World wide web programs obtainable through the script.google.com URL structure. These scripts is usually configured to serve HTML material, take care of sort submissions, or redirect customers to other URLs, making them suited to destructive exploitation when misused.