Cyber security researchers from Avanan have recently identified a concerning phishing campaign that leverages Google Apps Script macros – a tool used to automate tasks in Google applications.
Campaign overview:
The campaign involves approximately 360 emails written in multiple languages, including English, Russian, Chinese, Arabic, Italian, German and French. The emails falsely claim to provide “account details” for a user registration that the recipient never initiated.
Should employees fall victim to this email-based scam, risks to organizations include the exposure of sensitive data, the fraudulent transfer of funds, and operational disruption, among other things.
How it works:
The phishing emails feature a link, in the subject line, which leads to a Google Apps Script page. On the page, users will find a deceptive URL that includes scrip.google.com.
The URL claims to be a “secure and trusted” payment service. Because the URL overtly appears legitimate, it may deceive users into potentially disclosing sensitive information.
Visual examples:
[Above: Initial phishing email. Image courtesy of Avanan.]
[Above: Example of link to ‘activate account’. Image courtesy of Avanan.]
Detection indicators:
To spot these types of threats, look for emails with subject lines that claim to provide “account details” for an unrecognized registration. URLs that include “scrip.google.com”, but that direct users to pages requesting the input of sensitive data are also red flags.
Mitigation strategies:
Further information:
Upon observing this attack, our cyber security researchers responded quickly, creating a signature so that the company’s email security technologies would recognize and immediately block the threat.
For more information about preventing advanced, evasive and sophisticated cyber threats, click here or talk to a team of experts.