In the ever-evolving landscape of cyber threats, attackers are constantly seeking new methods to bypass traditional security measures. One increasingly prevalent technique involves exploiting legitimate services to host and deliver malicious content. A notable example is the use of Google Apps Script (GAS) in evasive phishing campaigns.
Phishing, a primary vector for cyberattacks, relies on deceiving users into revealing sensitive information or downloading malicious files. While security systems have improved at detecting known phishing indicators like malicious URLs or attachments in emails, threat actors are adapting.
Using Google Apps Script, attackers can create seemingly harmless links that redirect users through Google’s own infrastructure. A common tactic is to use a GAS-based web app as an intermediary redirector. An email might contain a link to a legitimate-looking page hosted on Google’s script.google.com domain. When clicked, the GAS script executes, often performing a redirection to the actual phishing site or a page hosting a malicious payload.
This approach offers several advantages for attackers. Firstly, the initial link points to a trusted Google domain, which is less likely to be flagged by email filters or web security gateways that rely on reputation scoring or blacklists. Secondly, the malicious URL is often hidden behind the script, making it harder for security tools to statically analyze the threat from the email content alone. The dynamic nature of the script can even be used to vary the final destination URL or payload, making detection more complex.
Furthermore, Google Apps Script can be leveraged to host files or even perform actions like data exfiltration. Attackers can upload malicious HTML pages, JavaScript, or other files within the script environment or linked Google Drive files and serve them directly. In some cases, GAS can be programmed to collect data entered by a victim on a phishing page and send it directly to the attacker’s controlled destination, bypassing typical web server logs.
Identifying these evasive phishing attacks requires vigilance. Users should be cautious of unsolicited emails, even those appearing to come from known contacts or organizations. Hovering over links (without clicking) can sometimes reveal the script.google.com domain, which should be a potential red flag if unexpected. Advanced security solutions are also developing techniques to analyze the behavior of web pages accessed via redirects, including those originating from trusted services like Google Apps Script.
Defending against such tactics involves a multi-layered approach:
- User education: Training users to recognize the signs of phishing, including unexpected redirects or requests for sensitive information.
- Email security: Implementing robust email filters that can analyze link destinations beyond the initial click and scan for indicators of malicious activity within seemingly legitimate services.
- Endpoint security: Using modern endpoint protection that can detect malicious activity resulting from clicking a phishing link, such as the download of suspicious files or unusual network connections.
- Continuous monitoring: Keeping an eye on network traffic for connections to unusual destinations or data exfiltration patterns, even if originating from Google’s infrastructure.
As attackers continue to misuse legitimate cloud services like Google Apps Script for evasive phishing, staying informed and implementing strong security practices are paramount to protecting against these sophisticated threats.
Source: https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-apps-script-in-evasive-phishing-attacks/
