Cyber security researchers from Avanan have recently identified a concerning phishing campaign that leverages Google Apps Script macros – a tool used to automate tasks in Google applications.

Campaign overview:

The campaign involves approximately 360 emails written in multiple languages, including English, Russian, Chinese, Arabic, Italian, German and French. The emails falsely claim to provide “account details” for a user registration that the recipient never initiated.

Should employees fall victim to this email-based scam, risks to organizations include the exposure of sensitive data, the fraudulent transfer of funds, and operational disruption, among other things.

How it works:

The phishing emails feature a link, in the subject line, which leads to a Google Apps Script page. On the page, users will find a deceptive URL that includes scrip.google.com.

The URL claims to be a “secure and trusted” payment service. Because the URL overtly appears legitimate, it may deceive users into potentially disclosing sensitive information.

Visual examples:


[Above: Initial phishing email. Image courtesy of Avanan.]

[Above: Example of link to ‘activate account’. Image courtesy of Avanan.]

Detection indicators:

To spot these types of threats, look for emails with subject lines that claim to provide “account details” for an unrecognized registration. URLs that include “scrip.google.com”, but that direct users to pages requesting the input of sensitive data are also red flags.

Mitigation strategies:

  • Apply advanced email filtering. This is sophisticated cyber security tooling that employs algorithms and machine learning to identify and filter out phishing emails.

  • Leverage real-time URL scanning tools, which can identify and block links that direct users to malicious pages.

  • Utilize tools that employ AI-powered Natural Language Processing (NLP) to analyze the context and intent of email content.

  • Obtain tooling with built-in AI-powered threat intelligence. This enables organizations to apply the most powerful mitigation measures available at any given time.

  • Implement phishing awareness training to increase employees’ knowledge concerning the identification of suspicious emails and to elucidate internal reporting best practices.

Further information:

Upon observing this attack, our cyber security researchers responded quickly, creating a signature so that the company’s email security technologies would recognize and immediately block the threat.

For more information about preventing advanced, evasive and sophisticated cyber threats, click here or talk to a team of experts.