Targeted cybercriminals businesses have found a way to create convincing phishing emails abused Google Docs / Drive, to bypass security filters, according to an email security provider report "Avanan". According to the company's researchers, it is first which such techniques are used to piggyback on a popular service like Google.
The email received by the alleged victims contains a seemingly legitimate link to Google Docs, as Avanan pointed out in a related blog post. Clicking this link takes a user to a Google Docs page that hosts something that looks like a Word document.
Avanan noted the following: "This Google Docs page may seem familiar to those who share Google Docs outside of their organization. However, this is not a legitimate page. It's a custom HTML page created to look like this well-known Google Docs sharing page. Attackers motivate the unsuspecting user to click to download the document. "As soon as the victim clicks on this link, he is redirected to the malicious phishing site, where his credentials will be stolen through another website that will look like the Google login portal."
This is quite an attack simple to execute. A malicious encoder creates an HTML web page designed to look like a Google Docs sharing page and uploads it to Google Drive.
Then just right-click to open Google Docs before embedding and posting it on the web. Google does most of the hard work, including creating a link that will yield the full HTML file, Avanan explained.
The company also pointed out that a similar technique has been used to forge a DocuSign document, taking the user to a fake DocuSign login page.
By using Google Docs this way, attackers are more likely to bypass static link scanners that use many obsolete security products, according to the company. An AI-based tool capable of detecting suspicious behavior should perform better.
It is noteworthy that Phishing it remains top threat carrier for today's cybercriminals. Of the 62,6 billion cyber-threats identified by Trend Micro last year, more than 91% sent via email.
Hank Schless, Senior Director of Security Solutions at Lookout, argued that phishing attacks, such as these, could seriously affect corporate cybersecurity.
Also note the following: “Malicious agents know that legitimate login theft credentials is the best way to discreetly invade an organization's infrastructure. As most organizations use either Google Workspace or Microsoft 365 as their primary productivity platform, attackers run phishing campaigns that specifically exploit these services. "Once they have the login credentials and can connect to the cloud platform they have chosen to create their malicious campaign, there is no limit to the amount and type of data they could steal."
Source of information: info-securitymagazine.com