- The pirates host false invoices on the Google Apps script, warn the experts
- Invoices are sent by email
- The victims are redirected to a false Microsoft 365 connection page
The threat actors were seen abusing the Google Apps script to launch convincing phishing attacks and steal people’s connection details.
CoFense cybersecurity researchers recently spotted such a campaign where the Google Apps script used a false invoice.
First of all, the crooks would prepare the usual false e-mail of the invoice. This email would carry a link to the invoice which, when it hovered (or click) would point to the script[.]Google[.]com. In this way, criminals would create a false feeling of legitimacy with the victims who might think that the bill really came from Google or a service affiliated with Google.
M365
Click on the link open a small destination page indicating “You have an available waiting download” and a “preview” button. #
The button leads to the real malicious page, which imitates the Microsoft 365 connection page, almost in the last detail. Those who do not spot the trick and do not try to connect, end up relaying their identification information directly to the attackers.
To better hide their tracks, the Crooks configure the page so that it redirect to the real Microsoft 365 site, as soon as the connection identification information is provided.
Google Apps Script is a cloud-based script platform that allows users to automate tasks and extend Google Workspace applications such as Gmail, Docs, Sheets and Drive using JavaScript.
For example, a teacher could have a Google Sheets file with students’ notes, and using the Google Apps script, it could automatically send personalized emails, saving manual work hours.
“Phishing emails like these are a good example of how attackers take advantage of legitimate areas to make their scams more convincing,” warned Cofense researchers. “It is important to remain vigilant and educate employees about the risk of phishing attacks.”
