Yet another phishing campaign impersonates trusted Google services - here's what we know
Google Cloud Application Integration is being abused to generate phishing emails leading victims to fake Microsoft login sites.
(Image credit: weerapatkiatdumrong / Getty Images)
- Attackers abused Google Cloud Application Integration to send phishing emails from legitimate Google domains
- Emails mimicked Google notifications, redirecting victims through trusted services
- Nearly 3,200 businesses targeted; most victims in U.S. manufacturing, tech, and finance sectors
Legitimate Google services are, once again, being abused in phishing attacks, successfully tricking targets into clicking malicious links and giving away their login credentials.
In a newly released report, cybersecurity researchers from Check Point said they’ve seen almost 10,000 emails, being sent to roughly 3,200 businesses in a span of two weeks.
All of the messages were sent from the email account noreply-application-integration@google.com, meaning the attackers were abusing Google Cloud Application Integration.
Targeting manufacturing in the US
This is a managed Google Cloud service that connects applications, APIs, and data sources without needing to write custom code. It lets organizations automate workflows between cloud services, SaaS apps, and internal systems using prebuilt connectors, triggers, and actions. Emails generated through Google Cloud Application Integration often originate from Google-owned infrastructure and domains, meaning they’re sent as part of an automated workflow and can inherit Google’s strong sender reputation.
In phishing campaigns, threat actors can create or compromise a Google Cloud project and configure an integration workflow that sends emails via Gmail APIs or other connected email services. In other words, this is simple abuse - not a breach in Google’s infrastructure.
To make the emails seem even more plausible, the attackers made sure the messages closely followed Google’s notification style, language, and formatting. The most common lures include pending voicemail messages, or notifications about being shared a document.
The link shared in these emails leads to storage.google.cloud.com which is a trusted Google Cloud service. However, it then redirects to googleusercontent.com, where they need to pass a fake CAPTCHA built to block security scanners. Finally, the victims are redirected to a fake Microsoft login page, where they can be tricked into giving away their login credentials.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
