Full Report
Threat actors are abusing the trusted Google platform 'Google Apps Script' to host phishing pages, making them appear legitimate and eliminating the risk of them getting flagged by security tools. [...]
Analysis Summary
# Threat Actor: Unspecified Phishing Actors Abusing Google Apps Script
## Attribution & Identity
* **Identification:** Threat actors who are leveraging legitimate cloud services to host phishing infrastructure for credential harvesting.
* **Aliases/Associations:** Not explicitly named or attributed to specific known APTs or established groups in the provided text, but described as "phishing actors."
## Activity Summary
Threat actors are conducting evasive credential harvesting operations by abusing **Google Apps Script (GAS)**. They are creating scripts that host fake login pages designed to capture victim credentials. These phishing pages are delivered via emails containing lures related to invoice payments or tax matters. A key feature of this campaign is the ability for actors to update the phishing lure remotely without sending new links to victims.
## Tactics, Techniques & Procedures
- **T1566.001 (Phishing: Spearphishing Attachment):** Delivering phishing links via emails with invoices or tax-related calls to action. (Implied delivery mechanism)
- **T1566.002 (Phishing: Spearphishing Link):** Linking recipients to malicious Google-hosted pages.
- **T1190 (Exploit Public-Facing Application):** Abusing the intended functionality of Google Apps Script.
- **T1071.001 (Application Layer Protocol: Web Protocols):** Using HTTP requests to exfiltrate captured data to attacker-controlled servers via hidden requests.
- **Evasion:** Hosting the malicious content on `script.google.com`, which is typically allow-listed by security products because it runs on a trusted Google domain.
- **Flexibility:** The ability to remotely adjust the deployed GAS script after initial deployment, allowing for quick iteration of lures.
- **MITRE ATT&CK IDs:** No specific IDs were directly published alongside the techniques in the text, but relevant IDs are listed above based on the activity described.
## Targeting
* **Sectors:** General, but the lure suggests targeting users who handle financial documents (invoices) or tax affairs.
* **Geography:** Not specified.
* **Victims:** Users targeted by phishing emails requesting sensitive information.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly named, but custom scripts deployed via Google Apps Script are the primary mechanism.
* **Infrastructure (C2, domains, IPs):**
* **Hosting Platform:** `script.google.com` (legitimate Google infrastructure used for hosting the phishing page).
* **Exfiltration:** Attacker-controlled servers receiving data via hidden requests from victims interacting with the GAS page.
## Implications
The use of Google Apps Script provides significant **evasion** capabilities, as the malicious content resides on a highly trusted, allow-listed domain (`script.google.com`). This increases the likelihood that phishing emails will successfully bypass traditional gateway filters. Furthermore, the actors gain operational efficiency by being able to continuously update campaign lures remotely without resending links, extending the operational life of the campaign.
## Mitigations
- Configure email security solutions to scrutinize links pointing to cloud services.
- Block access to Google Apps Script URLs (`script.google.com`) completely, or at minimum, flag them as potentially dangerous for user interaction.
- Implement robust user training focusing on credential entry on links originating from unexpected cloud service subdomains, even if the main domain is trusted.