# OK Google, Build Me a Phishing Campaign **[armorblox.com/blog/ok-google-build-me-a-phishing-campaign/](https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign/)** [Back](https://www.armorblox.com/blog) ----- Written by [Arjun Sambamoorthy](https://www.armorblox.com/blog/authors/arjun-sambamoorthy) Threat Research / 11.19.20 ----- Google’s mail, workplace productivity, and other business services have helped millions of people simplify and share their work. Open APIs, extensible integrations, and developerfriendly tools mean that entire virtual offices - complete with virtual workflows - can exist in a Google ecosystem. Unfortunately, Google’s open and democratized nature is being exploited by cybercriminals to defraud individuals and organizations of money and sensitive data. The Armorblox threat research team has seen a sharp uptick in attackers using Google services to help them get emails past binary security filters based on keywords or URLs. In this blog, we will outline five targeted phishing campaigns that weaponize various Google services during their attack flow. These attacks are representative but in no way exhaustive they are the tip of a deep iceberg. If successful, these email attacks using Google services could have potentially impacted tens of thousands of mailboxes within Armorblox customer environments alone. ## 1. American Express Credential Phishing ----- **Fig: Summary of the American Express credential phishing attack** ### Attack summary A credential phishing email impersonating American Express Customer Care that informs readers that they left out providing some information while validating their card. The email includes a link where readers can fill in this information and validate their card. ### Google service used The phishing page in the email is hosted on a Google form with a smattering of American Express branding. This fairly long form asks victims for their American Express login credentials, card details, and even their mother’s maiden name (which is a common security question). ----- **Fig: Phishing page for the AmEx attack was hosted on a Google form** Hosting the phishing page on a Google form helps the initial email evade any security filters that block known bad links or domains. Since Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero. ### Other techniques used Impersonation: American Express Customer Care Social engineering: Time-bound request to validate AmEx card by providing personal information ## 2. Benefactor Scam Reconnaissance ----- **Fig: Benefactor scam email with a Google form link** ### Attack summary Cybercriminals impersonate a childless widow who wants to part with large sums of money but has nowhere to disburse it. The email asks people interested to receive money to either click the link in the email or send a reply to the address included in the email body. ### Google service used ----- The link in the email leads to a seemingly empty Google form with an untitled question and one answer option (Option 1). At first glance, it seems the attackers have been lazy or negligent, but this is a common reconnaissance technique employed at the start of targeted email attacks. Many people will feel the email is suspicious after going through the content and visiting this dummy form. But some people will submit the only option allowed by the form, or they will send a reply to the address provided in the email. This allows attackers to shortlist the most naive and emotionally susceptible email recipients, who will be prime targets for follow-up emails from the childless widow. **Fig: Empty Google form used as a reconnaissance technique** Just like the earlier American Express credential phishing attack, hosting the phishing page on a Google form here helps the initial email evade any security filters that block known bad links or domains. ### Other techniques used Impersonation Social engineering: Emotional request from a widow, temptation of large sums of money. ## 3. Security Team Impersonation ### Attack summary Cybercriminals impersonate an organization’s security administrator team with an email that informs readers that they haven’t received some ‘vital’ emails because of a storage quota issue. The mail body includes a link for readers to verify their information and resume email ----- delivery. A snapshot of the email is given below. We have used a fictional organization called Foxtrot to showcase this email. **Fig: Email impersonating the security team with an email delivery failure message** ### Google service used The link in the email leads to a fake login page hosted on Firebase, Google’s mobile platform that enables users to create apps, host files and images, and serve user-generated content. [The parent URL of the page - https://firebasestorage.googleapis.com - won’t be blocked by](https://firebasestorage.googleapis.com/v0/b/te-uriucx-reuines-253.appspot.com/o/%40%40%40indexv-vb-vau-ry-8%252Fbv-yu-er-8F%25252525%2525252F%25252525%2525252F%25252525%2525252F%25252525%2525252F%25252525.html?alt=media&token=7fb7ef8c-0366-44c0-a0e2-a0152de28cdf#PublicRecordsRequest@sanjoseca.gov) any security filters due to its inherent legitimacy. The login screen is simple, with the email address of the victim pre entered into the first field. Imitating ‘quick fill’ techniques used by forms on legitimate websites is commonly used by cybercriminals to lull victims into a false sense of security. ----- **Fig: Phishing page hosted on Firebase Storage** ### Other techniques used Impersonation: security administrator team. Social engineering: Email focuses on failure to deliver ‘vital’ messages and includes a link to resume email delivery. The email body includes negative repercussions for lack of action (failure to verify your email account will lead to suspension and lost data). Link redirections: the URL in the email goes through one redirection before landing on the Firebase hosted page, obfuscating the attack flow for any security technology that attempts to follow the URL to its final destination. ## 4. Payslip Scam ### Attack summary Cybercriminals impersonate an organization’s payroll team and send an email with payslip details to victims. The email points readers to a link for them to check if their personal information for the payslip is accurate. A time-bound request to check the email link adds urgency and is likely to make victims click without thinking. [This is a variant of the more classic payroll diversion fraud, where cybercriminals](https://www.armorblox.com/blog/payroll-fraud-when-direct-deposits-go-rogue) impersonate employees and try to divert payroll funds to their own accounts. ----- **Fig: Payslip scam email with a Google Docs link** ### Google service used The link in the email leads to a page hosted on Google Docs. Since Google Docs is ever present in our daily lives, the average recipient wouldn’t be surprised to see a Google Docs link in an email from a colleague. It won’t be blocked by any email security filter either - not on Day 0, at any rate. Using a Google Doc in this email is meant to trick both the recipient’s eye test and traditional security layers. ----- **Fig: The link in the email leads to a Google Doc that claims to contain payslip** **information** ### Other techniques used Impersonation: Payroll team. Targeted email: The email title and body have the recipient’s name to increase legitimacy. Social engineering: Finance-related email with a time-bound request to take action (check if your personal data is correct by 5pm). Link redirections: The email links to the Google Doc, which further redirects to the final phishing page (which has now been taken down). These redirections obfuscate link detection technologies from identifying the URL as malicious. ## 5. Microsoft Teams Credential Phishing ----- **Fig: Summary of the Microsoft Teams credential phishing attack** ### Attack summary This email claimed to come from the company’s IT team and asked readers to review a [secure message their colleagues had shared over Microsoft Teams, a popular business](https://www.microsoft.com/en-us/microsoft-365/microsoft-teams/group-chat-software) collaboration solution. Clicking the link took the targets to a page resembling Microsoft Teams, which further redirected to the credential phishing site resembling the Office 365 login portal. [Visit this link if you’d like to learn more about this credential phishing attack.](https://www.armorblox.com/blog/blox-tales-microsoft-teams-credential-phishing) ### Google service used The Office 365 login portal was hosted on Google Sites, a wiki and web page creation tool that lowers the skill bar needed to create websites. The malice of the page’s intent was hidden behind the legitimacy of the page’s domain. This page would pass most eye tests during busy mornings (which is when the email was sent out), with people happily assuming it to be a legitimate Microsoft page. ----- **Fig: Phishing page for the Microsoft Teams attack was hosted on Google Sites** ### Other techniques used Impersonation: IT team + Microsoft Teams Social engineering: Request to view ‘secure’ messages sent over Microsoft Teams ## Guidance and Recommendations ### 1. Follow 2FA and password management best practices Since all workplace accounts are so closely interlinked, losing access to your Google account can prove to be very dangerous as cybercriminals send emails in your name to your customers, partners, and loved ones. If you haven’t already, follow these hygiene best practices: Deploy two-factor authentication (2FA) on all possible business and personal accounts. Use a password manager to store your various account passwords. Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc. ----- ### 2. Subject sensitive emails to rigorous eye tests Whenever possible, engage with emails related to money and data in a rational manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. _why is this childless widow willing to send me millions of dollars?)._ ### 3. Create your own lines of authentication You should try to replicate 2FA, even if in a loose sense, for any email that makes unusual requests related to money or data. For example, did your HR rep just email you some payroll details with a Google Doc requesting more information urgently? Call or text the HR rep and confirm that they sent the email. Even if your colleagues are very busy, they will understand and appreciate your caution. ### 4. Augment native email threat detection with additional controls [To augment existing email security capabilities (e.g. Exchange Online Protection for Office](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-worldwide) [365 or the Advanced Protection Program for G Suite), organizations should invest in](https://landing.google.com/advancedprotection/) technologies that take a materially different approach to threat detection. Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats that contain zero-day payloads like Google Forms, Docs, or pages built on Google Sites. For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below. We promise to only email you useful information. We also promise not to include any Google Docs or Forms in these emails that ask for your personal information, although that should go without saying :-) -----