Hackers Using Google Docs to Host Phishing Attacks
Hackers found using Google Docs to host attacks within the web-based document service in a new phishing campaign. The campaign delivers malicious links in an attempt to steal victims’ credentials. By hosting the campaigns in Google Docs, hackers can bypass link scanners and avoid detection from common security protections that scan links sent via email. Hackers have used this method before in smaller services such as MailGun, FlipSnack, and Movable Ink. Researchers at email security firm Avanan discovered the campaign being used in Google Docs.
The attack starts with an email that includes a message that looks to be relevant to users who use Google Docs within their corporate environment. If a user clicks on the link, the victim is sent to a custom HTML page that looks like the familiar Google Docs share page. Once redirected, potential victims are asked to “click here” to download the document. When the user clicks, the page redirects to the actual malicious phishing website, which steals the victim’s credentials using another web page made to look like the Google Login portal.
The attack involves a hacker creating a web page that looks like a Google Docs sharing page, and uploading the HTML file to Google Drive. Once the file is scanned, Google renders the HTML into a preview page that looks like a typical Google Docs page. The hacker then right-clicks on the uploaded file to open it in Google Docs. If you just click “Get link,” you only see the source code, not the rendered version. By manipulating Google Docs, hackers can successfully render the malicious page rather than deliver a page with just source code to the potential victim.
Avanan researchers also spotted the same method used to spoof DocuSign phishing emails. In that case, the “View Document” button was a published Google Docs link that was a fake DocuSign login page that would transmit the entered password to a hacker-controlled server by a “Log In” button.
Phishing remains the top threat, of the 62.6 billion cyber-threats detected by Trend Micro last year, over 91% were sent via email. Hackers know that stealing login credentials is the best way to infiltrate an organization’s infrastructure. Since most organizations use either Google Workspace or Microsoft 365 as their main productivity platform, hackers are building phishing campaigns that specifically exploit those services. Once hackers have the login credentials and can log, there’s no limit to what data they could steal.