Cybersecurity researchers have identified a sophisticated phishing campaign that exploits Google Apps Script, a cloud-based development platform, to host fraudulent websites that harvest user credentials as they benefit from Google’s inherently trusted domain reputation. Security experts from Trellix, Cofense, and Check Point have documented these attacks, which use Google’s infrastructure to circumvent traditional email security filters and link analysis tools that typically trust Google-owned domains.
Attackers leverage Google’s trusted infrastructure to bypass security filters and increase the credibility of their credential-harvesting phishing sites.
The attackers craft fraudulent login screens that closely resemble authentic interfaces, distributing them through malicious emails masquerading as invoices or official communications. These phishing pages, hosted on Google Apps Script URLs, exploit the platform’s integration across Google services to distribute malicious content widely as they avoid detection. The trusted nature of Google’s domain increases the perceived legitimacy of these fraudulent sites, making targets more likely to enter their credentials. With threats evolving at a rate of 400 new threats per minute, traditional security measures struggle to keep pace with these sophisticated attacks.
Notable campaigns have targeted banking, energy, insurance, and investment sectors across Africa, Canada, Europe, the Middle East, and South Asia. Attackers have impersonated high-profile organizations, including Rothschild & Co, particularly targeting financial executives through spear-phishing content designed to achieve persistent access and broader enterprise compromise.
Some campaigns incorporate Google Firebase for more complex attack chains, delivering malware through deceptive pages that may include fake CAPTCHAs or file downloads. The attacks employ multi-stage delivery methods, utilizing Google Apps Script’s remote modification capabilities to update lures post-delivery.
After harvesting credentials, attackers frequently redirect victims to legitimate websites to conceal malicious intent and reduce suspicion. This tactic decreases user awareness and reporting rates, extending the window for credential exploitation. The short emails used in these campaigns are particularly effective at bypassing spam filters while reducing the likelihood of detection through grammar or spelling error analysis.
Successful credential theft allows attackers to establish unauthorized access to corporate accounts, facilitate lateral movement, and create persistent backdoors using legitimate remote access tools like NetBird and OpenSSH. Attackers can create hidden local-administrator accounts and allow remote desktop protocol access for ongoing intrusion operations.
The dynamic nature of cloud-hosted scripts, combined with obfuscated delivery chains and carefully crafted interfaces that evade user suspicion, presents significant detection challenges for security teams attempting to identify and mitigate these threats. These campaigns have distributed approximately 360 emails across multiple languages including English, Russian, Chinese, Arabic, Italian, German, and French to maximize their global reach.
