Google Apps Script Exploited in Advanced Phishing Campaigns

Google Apps Script Exploited in Advanced Phishing Campaigns

Blog Article

A new phishing marketing campaign has been noticed leveraging Google Apps Script to provide deceptive written content made to extract Microsoft 365 login credentials from unsuspecting end users. This technique utilizes a dependable Google platform to lend believability to destructive back links, thus raising the chance of user interaction and credential theft.

Google Apps Script can be a cloud-based mostly scripting language designed by Google that permits users to extend and automate the features of Google Workspace purposes which include Gmail, Sheets, Docs, and Push. Designed on JavaScript, this Resource is commonly used for automating repetitive jobs, developing workflow methods, and integrating with external APIs.

On this certain phishing operation, attackers create a fraudulent Bill document, hosted as a result of Google Apps Script. The phishing approach usually starts with a spoofed e mail showing to inform the recipient of the pending Bill. These e-mails incorporate a hyperlink, ostensibly bringing about the invoice, which works by using the “script.google.com” domain. This area is surely an Formal Google area employed for Apps Script, that may deceive recipients into believing which the backlink is Safe and sound and from the reliable source.

The embedded link directs people to the landing web page, which can contain a message stating that a file is available for download, along with a button labeled “Preview.” Upon clicking this button, the user is redirected to a cast Microsoft 365 login interface. This spoofed website page is made to intently replicate the legitimate Microsoft 365 login display, such as layout, branding, and user interface components.

Victims who tend not to realize the forgery and proceed to enter their login credentials inadvertently transmit that data directly to the attackers. When the credentials are captured, the phishing page redirects the user to the reputable Microsoft 365 login web-site, creating the illusion that practically nothing unconventional has happened and minimizing the chance the person will suspect foul Engage in.

This redirection strategy serves two key applications. First, it completes the illusion the login endeavor was regimen, reducing the likelihood that the victim will report the incident or modify their password immediately. Second, it hides the destructive intent of the earlier interaction, which makes it tougher for security analysts to trace the function without the need of in-depth investigation.

The abuse of reliable domains including “script.google.com” provides a significant challenge for detection and prevention mechanisms. Email messages that contains hyperlinks to reliable domains usually bypass essential email filters, and people tend to be more inclined to rely on one-way links that surface to come from platforms like Google. This type of phishing marketing campaign demonstrates how attackers can manipulate very well-identified services to bypass common stability safeguards.

The complex foundation of the attack depends on Google Apps Script’s World-wide-web app capabilities, which permit developers to build and publish web applications obtainable by using the script.google.com URL framework. These scripts is often configured to provide HTML content material, handle kind submissions, or redirect buyers to other URLs, creating them suited to destructive exploitation when misused.