Hackers Exploit Google Apps Script for Phishing — Stealing Microsoft 365 Credentials
Cybercriminals are now abusing Google Apps Script to launch highly convincing phishing attacks aimed at stealing Microsoft 365 login credentials, according to recent findings from cybersecurity researchers at Cofense.
In this campaign, attackers cleverly host a fake invoice using Google Apps Script — a legitimate cloud-based tool typically used to automate tasks and extend Google Workspace apps like Gmail, Sheets, and Drive with JavaScript.
How the Phishing Attack Works
→ Victims receive a phishing email that claims to contain a pending invoice.
→ The email includes a link that appears to point to script[.]google[.]com, creating a false sense of legitimacy by leveraging Google’s trusted domain.
→ Clicking the link opens a landing page displaying a message like:
“You have one pending download available”
with a “Preview” button that encourages further interaction.
→ The preview button directs the victim to a fake Microsoft 365 login page that looks almost identical to the real one.
→ If the victim enters their credentials, the details are captured by the attackers, and the victim is redirected to the genuine Microsoft 365 website — making it harder to realize they’ve been tricked.
Why This Tactic Is Dangerous
→ The use of Google’s trusted domain makes the scam look authentic and helps it bypass many email filters and security solutions.
→ The phishing page is carefully designed to mirror Microsoft 365’s login page, making it difficult for users to spot differences.
→ Redirecting users to the real site after harvesting credentials helps the attackers avoid immediate suspicion.
How Google Apps Script Is Typically Used
Legitimate users of Google Apps Script can automate workflows, such as:
→ Automatically sending personalized emails from a Google Sheets gradebook
→ Generating reports or managing Google Drive files
→ Extending the functionality of Gmail, Docs, and other Google Workspace apps
How to Stay Safe
→ Verify URLs carefully before clicking, even if they appear to come from trusted domains
→ Be cautious of unexpected invoices or downloads
→ Train employees on recognizing phishing tactics and spotting lookalike login pages
→ Use multi-factor authentication (MFA) for all critical accounts
Cofense researchers warn that phishing emails like these highlight how attackers take advantage of legitimate domains to make scams more convincing. Staying vigilant is key to reducing risk.
0 Comments
Leave Your Comment