Perception Point has detected a widespread campaign targeting multiple clients, in multiple countries, across a variety of industries. The one common factor is that they are all working with the G Suite set of tools from Google.

In this G Suite phishing campaign, the user first receives an email that closely resembles the standard notifications sent by G Suite applications, ranging from Google Photos to Google Drive.

As seen in the images above, the attacker ensures the subject and the sender look legitimate, thereby making the email seem valid.

After the user clicks on “View album” or “More information”, it immediately forwards the user to multiple different malicious URL’s or phishing sites (e.g. Adult content, Spam, Phishing).

We identified this G Suite scam using multiple engines that detected different aspects. First, our Domain Look-a-Like engine detected that the sender’s address attempts to imitate a Google address. Second, our Unpacker opened all layers of the email within a controlled environment and clicked on all of the links inside the email, thereby preventing the commonly seen evasion technique of hiding attacks within multiple layers of content. Finally, our reputation engine referenced the URL addresses with multiple reputation engines and sites to verify the legitimacy of the address – subsequently identifying the links as spam and phishing.

To learn more about our solution and see case studies like this G Suite scam, you can read about our Advanced Email Security here.