Cybercriminals are increasingly leveraging Google Apps Script a cloud-based development platform commonly integrated within Google’s suite of business tools to host malicious phishing websites.
A recent investigation by the Cofense Phishing Defense Center has highlighted this concerning trend, documenting a campaign that cleverly exploits Google’s trusted reputation to target unsuspecting users through fraudulent emails disguised as legitimate business correspondence.
Threat Actors Exploit Trusted Google Infrastructure
The observed attack begins with an innocuous-looking email, expertly masquerading as an invoice notification from a reputable company specializing in disability and health equipment.
The email, minimal and ambiguous in content, is deliberately crafted to trigger urgency and prompt immediate action from the recipient.
By keeping the language vague and the message short, attackers aim to evade spam filters and security controls that are more likely to flag lengthy or error-filled content.
The purported invoice link in the email is the bait: if clicked, the recipient is directed to a webpage hosted on script[.]google[.]com, capitalizing on Google’s ubiquity and perceived legitimacy.
Fake Invoice Pages
Once on the fraudulent Google-hosted page, users are presented with what appears to be a simple invoice interface, replete with a call-to-action “Preview” button.
The page’s clinical design and trustworthy domain reinforce the illusion of authenticity, leaving few clues to the average user that anything is amiss.
However, clicking the preview button triggers the true nature of the attack a counterfeit login prompt styled to mirror official sign-in pages.
Here, threat actors rely on users’ trust in Google, betting that few will question the domain’s legitimacy before entering sensitive credentials.
When a user submits their login information, the details are instantly harvested by the attacker via a backend PHP script and subsequently transmitted to an external server under the attacker’s control.
To minimize suspicion, the phishing workflow then redirects victims to a genuine Microsoft login page, completing the illusion and potentially leaving users unaware that their credentials have been compromised.
According to the Report, This campaign demonstrates an evolution in phishing strategies, where attackers systematically exploit the infrastructure and branding of technology giants to lend legitimacy to their scams.
By hosting malicious content within a Google domain, adversaries sidestep many conventional detection mechanisms and social engineering cues that might otherwise warn users.
With access to victim credentials, attackers can infiltrate business systems, exfiltrate data, or launch further attacks with potentially severe financial and reputational consequences.
Security experts emphasize the necessity of ongoing employee awareness training and robust email security solutions.
Services such as Cofense Managed Phishing Detection and Response (MPDR) offer advanced phishing threat identification and mitigation, crucial in a threat landscape where traditional indicators of compromise are frequently masked by trusted services.
Indicators of Compromise (IOC)
| Stage | IOC Type | Value |
|---|---|---|
| 1 | Infection URL | hXXps://script[.]google[.]com/macros/s/AKfyc…/exec?/owa/auth/logon[.]aspx?… |
| 1 | Infection IPs | 142.251.16.106 142.251.16.147 142.251.16.104 142.251.16.105 142.251.16.99 142.251.16.103 |
| 2 | Payload URL | hXXps://solinec[.]com/APi/1YjDl_aUXTsHrhxiufjU0fBe4d2wsameerm3wJl_LX[.]php |
| 2 | Payload IP | 167.250.5.66 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
