March 15, 2020

When Google is a Fertile Ground for Phishing.

Incident Response

In a Nutshell

Our system has been identifying phishing campaigns on an hourly-basis. In this blog we will show how attackers take their creativeness to the next level, by leveraging Google services in order to orchestrate new type of phishing attacks. 

The trend described below is comprised of two new techniques: 

  • Leveraging Google APIs and Google Sites as the hosts of phishing attacks
  • Smartly designed phishing attacks using Google Docs and Google Forms


Perception Point identified this new trend with our advanced email traffic analysis along with data gathered by our Incident Response and Research teams. We spotted this new type of attack across all of our customers, with over 100 attacks successfully intercepted in the last 7 days.

The examples provided below are only a few of many phishing campaigns we have seen targeting our customers and their key employees. 

  1. “Google as the Host”:
    In this example we can see how attackers use Google APIs service for hosting phishing sites.

    The cover email along with spoofing the domain’s customer 

    In the email above we can see how the attacker disguises himself as a Microsoft admin. This “innocent” email is actually a call for action, asking the targeted user to release emails, supposedly blocked by the email security system. However, this is a false email. Once the user clicks on the URL, the following phishing site is shown:


    As you can see in the highlighted artifact in the picture, the attack is using the domain of Google APIs. Essentially, the attacker hosts the malicious URL on the Google APIs service. This technique creates a problem for most email security systems which tend to whitelist Google services, therefore, letting the attack to slip through.  

    Another example to this technique is the use of the Google Sites service. In the example below we can see a well-designed phishing site on which is using the “” domain. This attack is again very hard to detect as both the host name of the site is reputable and the quality of the phishing look-and-feel is very high.



  2. Google is the “phisher”:
    In this case, the attacker turns Google into a phishing site. The attackers are now using Google Forms – a great tool to survey people and employees – to be actually a form for asking for user names and passwords. Again, since it is based on a legitimate concept, this attack can bypass the vast majority email security vendors very easily.
    At this example, notice how the attacker creates a fake Office 365 log-in page in Google Forms and tricks the users to enter their credentials. The real interesting part is that Google are indeed aware of this threat and specifically mention that users should “never submit passwords through Google Forms”. However, in real-life, most people don’t notice this warning and are giving away their credentials to malicious actors.

Recommendations for CISOs

  1. Train your employees – Educate your employees on new types of phishing and provide them with tools to identify hoe attackers work.
  2. Adopt solutions with an automated update mechanism – Since attackers always evolve and improve, we need to use technological solutions which constantly update and improve. Perception Point combine its cloud structure to update and improve its algorithms at least once in a week. In addition, we use the Incident Response team to research attacks in the wild, even before reaching to our system.
  3. Dynamic scanning – Active scanning capabilities are key in preventing zero-day phishing attacks. Adopt solutions that can dynamically scan 100% of email traffic.

Contact Us

Connect with our team to:
* Learn more
* Get a live demo
* Get a quote
* Set up a free 30 day trial

We will respond to your enquiry within 24 hours.
Link has been copied to your clipboard!