Threat actors are exploiting Google Docs by hosting their attacks within the web-based document service in a new phishing campaign that delivers malicious links aimed at stealing victims’ credentials.
Researchers at email and collaboration security firm Avanan discovered the campaign, which is the first time they said they’ve seen attackers use this type of exploit in Google’s hosted document service, according to a report published Thursday by Jeremy Fuchs, marketing content manager for Avanan.
By hosting attacks in this way, attackers can bypass link scanners and evade detection from common security protections that aim to verify that links sent via email are legitimate. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan.
Attack Vector
The attack begins with an email that includes a message that could be relevant to business users who commonly use Google Docs within their corporate environment. In the example shown in the report, the message claims the link contains a set of “new rules for June 25.”
If a user clicks on the link, the page appears familiar to anyone using Google Docs to share documents outside the organization, Fuchs said.
“This, however, isn’t that page,” he wrote. “It’s a custom HTML page made to look like that familiar Google Docs share page.”
Once redirected, potential victims are asked to “click here” to download the document. If a user clicks, the page redirects to the actual malicious phishing website, which steals the victim’s credentials using another web page made to look like the Google Login portal but which is actually hosted from a URL clearly not affiliated with the tech giant.
Attack Hosted by Google
The trick to creating the attack vector is that the heavy lifting of the campaign is done by Google Docs, making it “quite simple to execute,” Fuchs explained.
First an attacker would write a web page that resembles a Google Docs sharing page, and then upload that HTML file to Google Drive. Once the file is scanned, Google renders the HTML into a preview page that looks very much like a typical Google Docs page.
An attacker then can right-click on the uploaded file and open it in Google Docs, which is where the simple yet integral aspect of the attack takes place, Fuchs wrote.
“This is the clever bit because if you simply click ‘Get link’ you would only see the source code of the file, not the rendered version,” he wrote. However, by manipulating Google Docs, attackers are able to successfully render the malicious page rather than deliver a page with just source code to a potential victim, which would not be effective.
Final Deployment
Researchers must take one more step to have the file render in a way that a victim will recognize by selecting “Publish to the Web” from the Google Docs “File” dropdown menu.
Then by hitting “Embed” and “Publish,” Google will provide with embed tags that are meant to be used on its own forums to render custom content but which the attacker can use—minus the iframe tags—to save the malicious link intended to be sent via the phishing campaign.
“This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website,” Fuchs explained.
Avanan researchers also spotted the same attack method being used by threat actors to spoof a DocuSign phishing email, he added. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log In” button, Fuchs wrote.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!