In the ever-developing world of cybercrime, there are always advancements on attacks that are not expected or even considered, and recently cyber-criminals have found a new enterprising avenue by creating convincing email phishing scams that abuse Google Docs and Drive functionality, allowing them to bypass security filters.
Phishing is the Word
Avanan, an email security vendor, unveiled that this is among the first instances that this technique has been deployed onto Google’s popular services, where a victim would receive an email containing what looks like a genuine Google Docs link, which would take the user to a page hosting what appears as a Word doc.
The ‘Google doc’ page in question would seem familiar to people using it to share inside and outside of their organizations, but this page is a custom HTML page made to resemble it closely.
The attacker would expect the victim to click to download the document, whereupon the victim doing so, they would be redirected to a malicious phishing website so that their credentials would be successfully stolen through a webpage posing as a Google Login portal.
Simple Task to Execute
This attack is among the most simple to execute, where the coder would create the HTML page articulately posing as the Google docs sharing page and upload it to Google Drive.
A simple right-click to open the Google Doc, followed by embedding it and publishing to the web is as far as the malicious coder goes, and Google would then do the hard work in generating the link that renders the full HTML file. This follows on from similar attacks where DocuSign documents were successfully spoofed by taking the user to a fake page posing as the DocuSign login.
The benefits that attackers have gained from this technique is the ability to bypass static link scanners used by legacy security products. AI-based tools have a better shot at spotting this malicious or suspicious behaviour.
Email Poses Extreme Risk
As email phishing scams continue to be a growing threat from 2021’s cyber-criminals, 91% of cyber-threats have come from email links.
The projected damage to corporate security is viewed as a major concern with this development, as threat actors have access to legitimate login credentials and can discreetly enter a corporate infrastructure undetected. As these organizations rely on Google and Microsoft as main productivity platforms, attackers can build campaigns to exploit those services without detection. This leads to an untold of amount data that they could exfiltrate with the organization not realising until it is potentially too late.