Warning: Threat actors now abusing Google Apps Script in phishing attacks

Threat actors have discovered a way to abuse Google Apps Scripts to sneak links to malicious websites past phishing defenses.

According to new research from Cofense, a new attack has been discovered where, if an employee clicks on a link in a phishing email, they get taken to a page on script[.]google[.]com. The attacker is betting the user will see and trust the Google brand, and therefore trust the content.

“By using a trusted platform to host the phishing page, the threat actor creates a false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking twice,” says the report.

CISOs need to remind employees in regular security awareness training sessions to not let their guard down, and to read every email closely for clues of a scam.

They also need to be reminded that a caution popping up that a message is using a tool from a well-known brand – like Google – is no guarantee that the message is safe.

What is Google Apps Script?

Apps Script is a cloud-based JavaScript platform powered by Google Drive that lets a developer integrate with and automate tasks across Google products.  With it, Google says developers can add custom menus, dialogs, and sidebars to Google Docs, Sheets, and Forms; write custom functions and macros for Google Sheets, publish web apps, either standalone or embedded in Google Sites; interact with other Google services, including AdSense, Analytics, Calendar, Drive, Gmail, and Maps, and more.

Threat actors’ abuse of Apps Scripts is another example of a living-off-the-land tactic, using legitimate tools or capabilities for malicious acts against targets. It’s also an example of another favourite tactic, using a well-known brand, such as Microsoft or AWS, to ease security worries of targets.

The attack Cofense came across was an email that included an invoice containing a link to a webpage that uses a Google Apps Script. By spoofing the firm’s domain, it appeared to come from a legitimate company that sells disability and health equipment. The message itself [“Hello team. Please see the attached invoice for processing and payment. Kind regards,”] contained minimal information, notes Cofense, relying on its ambiguity to mislead the recipient.

The message may also trigger a warning in a phishing defense application: “This application was created by a Google Apps Script user.” But again, the fact that it has Google’s brand in the warning may cause some to relax.

Of course, to a trained employee, that brevity is also a tip-off that this may be phishing. As well, a general salutation [“Hello team”], should trigger suspicion, even if the recipient handles invoices.

The email has a Preview button the threat actor hopes a curious employee will click on. It triggers a fraudulent login window pop up – one that’s carefully designed to look legitimate – from the spoofed website. If an employee enters their credentials, they are captured by the threat actor, then a script automatically redirects the user to a legitimate Microsoft login page.

This evolution of phishing is a response to the widespread security awareness training message that clicking on unknown links is bad, Robert Beggs, head of Canadian incidence response firm DigitalDefense, told CSO.

Attack builds on previous tactics

“For the past two to three years, attackers have used a variety of mechanisms to clothe themselves as a legitimate operator,” he said in an email. “For example, they have sent calendar invites with attachments that appear legitimate when you open your calendar.  They have intercepted communications channels, such as Microsoft Teams or Zoom, in order to appear as legitimate meeting attendees. The latest attack methodology builds on that new tactical approach.”

Google Apps Scripts may be “trusted,” he said, but to a typical user, there remain multiple red flags in this kind of attack:

• most users are never directed to Google Apps Scripts. The fact that Google is in the name should not create trust if it is a new site to a user;
• if the URL an employee is directed to is long and complex – or obfuscated – that’s a warning sign. Employees need to be reminded that they should be able to understand the full and complete URL a link goes to;
• as in other kinds of phishing attacks, if the email tries to imply a sense of urgency to push the staffer through the pages to the point of entering sensitive access credentials, that’s always a red flag.

“In short, Google Apps Script attacks may bypass local anti-phishing controls,” said Beggs, “however, the information that flags an attack remains present, and diligent users will be able to detect the attempted attack.”