Threat Research

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

Cofense
Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

Threat actors leveraged Google Apps Script to host a phishing campaign disguised as a fake invoice email, exploiting the trust users have in Google domains to steal credentials. The stolen data is then sent to attackers before victims are redirected to a legitimate Microsoft login page to avoid suspicion. #GoogleAppsScript #PhishingCampaign #CredentialTheft

Keypoints

  • The phishing campaign uses Google Apps Script to host a fake invoice page, increasing perceived legitimacy.
  • Attackers spoofed a legitimate disability and health equipment company’s domain to make the email appear authentic.
  • The email is short and ambiguous to avoid detection by spam filters and to trigger urgency in recipients.
  • Clicking the link redirects users to a fraudulent login screen designed to steal email and password credentials.
  • After credential capture, victims are redirected to the genuine Microsoft login page to reduce suspicion.
  • The phishing data is transmitted to attackers using a PHP script hosted on an external domain.
  • IPs related to the campaign include multiple Google IP addresses and a payload server IP at 167.250.5.66.

MITRE Techniques

  • [T1566] Phishing – Email containing fake invoice link hosted on Google Apps Script to trick users into entering credentials. (“…email masquerading as an invoice…link to a webpage that uses Google Apps Script…”)
  • [T1192] Spearphishing Link – Redirect to a phishing site using a shortened and trusted domain to lure the victim. (“…redirected to an invoice page hosted on script.google.com…”)
  • [T1056] Input Capture – Fake login window designed to collect user email and password. (“…preview button triggers a fraudulent login window…”)
  • [T1071] Application Layer Protocol – Use of HTTP(S) for the data exfiltration of stolen credentials via PHP script. (“…transmits it to the attacker using a PHP script…”)
  • [T1110] Brute Force – Leveraging stolen credentials to gain unauthorized access to sensitive systems (implied from credential theft). (“With the stolen credentials, attackers can infiltrate sensitive systems…”)

Indicators of Compromise

  • [URL] Infection URL hosting phishing page – hXXps://script[.]google[.]com/macros/s/AKfyc…/exec?/owa/auth/logon[.]aspx
  • [URL] Payload server URL transmitting stolen data – hXXps://solinec[.]com/APi/1YjDlaUXTsHrhxiufjU0fBe4d2wsameerm3wJlLX[.]php
  • [IP Address] Google hosting IPs associated with phishing page – 142.251.16.106, 142.251.16.147, and 5 more
  • [IP Address] Payload server IP – 167.250.5.66

Read more: https://cofense.com/blog/behind-the-script-unmasking-phishing-attacks-using-google-apps-script

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint