{"id":3372,"date":"2025-05-29T23:58:15","date_gmt":"2025-05-29T23:58:15","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3372"},"modified":"2025-05-29T23:58:15","modified_gmt":"2025-05-29T23:58:15","slug":"warning-threat-actors-now-abusing-google-apps-script-in-phishing-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3372","title":{"rendered":"Warning: Threat actors now abusing Google Apps Script in phishing attacks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Threat actors have discovered a way to abuse Google Apps Scripts to sneak links to malicious websites past phishing defenses.<\/p>\n<p>According to <a href=\"https:\/\/cofense.com\/blog\/behind-the-script-unmasking-phishing-attacks-using-google-apps-script\" target=\"_blank\" rel=\"noopener\">new research from Cofense<\/a>, a new attack has been discovered where, if an employee clicks on a link in a phishing email, they get taken to a page on <em>script[.]google[.]com. <\/em>The attacker is betting the user will see and trust the Google brand, and therefore trust the content.<\/p>\n<p>\u201cBy using a trusted platform to host the phishing page, the threat actor creates a false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking twice,\u201d says the report.<\/p>\n<p>CISOs need to remind employees in regular security awareness training sessions to not let their guard down, and to read every email closely for clues of a scam.<\/p>\n<p>They also need to be reminded that a caution popping up that a message is using a tool from a well-known brand \u2013 like Google \u2013 is no guarantee that the message is safe.<\/p>\n<h2 class=\"wp-block-heading\">What is Google Apps Script?<\/h2>\n<p><a href=\"https:\/\/developers.google.com\/apps-script\" target=\"_blank\" rel=\"noopener\">Apps Script<\/a> is a cloud-based JavaScript platform powered by Google Drive that lets a developer integrate with and automate tasks across Google products.\u00a0 With it, Google says developers can add custom menus, dialogs, and sidebars to Google Docs, Sheets, and Forms; write custom functions and macros for Google Sheets, publish web apps, either standalone or embedded in Google Sites; interact with other Google services, including AdSense, Analytics, Calendar, Drive, Gmail, and Maps, and more.<\/p>\n<p>Threat actors\u2019 abuse of Apps Scripts is another example of a living-off-the-land tactic, using legitimate tools or capabilities for malicious acts against targets. It\u2019s also an example of another favourite tactic, using a well-known brand, such as Microsoft or AWS, to ease security worries of targets.<\/p>\n<p>The attack Cofense came across was an email that included an invoice containing a link to a webpage that uses a Google Apps Script. By spoofing the firm\u2019s domain, it appeared to come from a legitimate company that sells disability and health equipment.\u00a0The message itself [\u201cHello team. Please see the attached invoice for processing and payment. Kind regards,\u201d] contained minimal information, notes Cofense, relying on its ambiguity to mislead the recipient.<\/p>\n<p>The message may also trigger a warning in a phishing defense application: \u201cThis application was created by a Google Apps Script user.\u201d But again, the fact that it has Google\u2019s brand in the warning may cause some to relax.<\/p>\n<p>Of course, to a trained employee, that brevity is also a tip-off that this may be phishing. As well, a general salutation [\u201cHello team\u201d], should trigger suspicion, even if the recipient handles invoices.<\/p>\n<p>The email has a Preview button the threat actor hopes a curious employee will click on. It triggers a fraudulent login window pop up \u2013 one that\u2019s carefully designed to look legitimate \u2013 from the spoofed website. If an employee enters their credentials, they are captured by the threat actor, then a script automatically redirects the user to a legitimate Microsoft login page.<\/p>\n<p>This evolution of phishing is a response to the widespread security awareness training message that clicking on unknown links is bad, Robert Beggs, head of Canadian incidence response firm DigitalDefense, told CSO.<\/p>\n<h2 class=\"wp-block-heading\">Attack builds on previous tactics<\/h2>\n<p>\u201cFor the past two to three years, attackers have used a variety of mechanisms to clothe themselves as a legitimate operator,\u201d he said in an email.\u00a0\u201cFor example, they have sent calendar invites with attachments that appear legitimate when you open your calendar.\u00a0 They have intercepted communications channels, such as Microsoft Teams or Zoom, in order to appear as legitimate meeting attendees.\u00a0The latest attack methodology builds on that new tactical approach.\u201d<\/p>\n<p>Google Apps Scripts may be \u201ctrusted,\u201d he said, but to a typical user, there remain multiple red flags in this kind of attack:<\/p>\n<p>most users are never directed to Google Apps Scripts. The fact that Google is in the name should not create trust if it is a new site to a user;<\/p>\n<p>if the URL an employee is directed to is long and complex \u2013 or obfuscated \u2013 that\u2019s a warning sign. Employees need to be reminded that they should be able to understand the full and complete URL a link goes to;<\/p>\n<p>as in other kinds of phishing attacks, if the email tries to imply a sense of urgency to push the staffer through the pages to the point of entering sensitive access credentials, that\u2019s always a red flag.<\/p>\n<p>\u201cIn short, Google Apps Script attacks may bypass local anti-phishing controls,\u201d said Beggs, \u201chowever, the information that flags an attack remains present, and diligent users will be able to detect the attempted attack.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Threat actors have discovered a way to abuse Google Apps Scripts to sneak links to malicious websites past phishing defenses. According to new research from Cofense, a new attack has been discovered where, if an employee clicks on a link in a phishing email, they get taken to a page on script[.]google[.]com. The attacker is [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3372"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3372"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3372\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3373"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}