Novel Phishing Attack Abuses Google Drive and Docs

Enterprising cyber-criminals have found a way to create convincing phishing emails which abuse Google Docs and Drive functionality to bypass security filters, according to Avanan.

Researchers at the email security vendor claimed this is the first time such techniques have been used to piggyback on a popular service like Google’s.

The email that victims receive contains what appears to be a legitimate Google Docs link, Avanan explained in a blog post.

Clicking through takes the user to a Google Docs page hosting what appears to be a Word doc.

“This Google Docs page may look familiar to those who share Google Docs outside of their organization. This, however, isn’t that page. It’s a custom HTML page made to look like that familiar Google Docs share page,” Avanan explained.

“The attacker wants the victim to ‘Click here to download the document’ and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another web page made to look like the Google Login portal.”

The attack itself is fairly simple to execute. A malicious coder creates an HTML web page designed to resemble a Google Docs sharing page and uploads it to Google Drive.

Then they simply right-click to open in Google Docs, before embedding and publishing it to the web. Google does most of the hard work, including generating a link that will render the full HTML file, Avanan explained.

The vendor claimed a similar technique had been used to spoof a DocuSign document, taking the user to a fake DocuSign login page.

Using Google Docs in this way, attackers have a good chance of bypassing static link scanners that many legacy security products use, Avanan argued. An AI-based tool capable of spotting suspicious behavior should perform better.

Phishing remains the top threat vector for today’s cyber-criminals. Of the 62.6 billion cyber-threats detected by Trend Micro last year, over 91% were sent via email.

Hank Schless, senior manager of security solutions at Lookout, argued that phishing attacks like these could seriously impact corporate cybersecurity.

“Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Since most organizations use either Google Workspace or Microsoft 365 as their main productivity platform, attackers build phishing campaigns that specifically exploit those services,” he added.

“Once the attacker has those login credentials and can log into the cloud platform they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate.”