Hackers are using Google services to bypass email defence, researchers warn

Threat actors are increasingly using Google services such as Forms, Firebase and Sites to get around email defences that look for suspicious code and URLs, security vendor Armorblox has warned.

In a blog released this morning, the company said infosec pros need to tailor their strategies to prepare for these deceptions, especially if their organization uses free Gmail or GSuite.

Here are several examples of attackers’ tactics Armorblox has seen:

  • An email claims to come from a company’s IT team and asks readers to review a secure message their colleagues had shared over Microsoft Teams. Clicking the link takes victims to a page resembling Microsoft Teams, which then when to a credential phishing site resembling the Office 365 login portal.
  • The Office 365 login portal was hosted on Google Sites, a wiki and web page creation tool. Victims may be fooled by the legitimacy of the page’s domain, which starts “sites.google.com.”
  • An email impersonating an organization’s payroll team goes to named employees with payslip details, asking them to click on a link and check if their personal information for the payslip is accurate. As an extra pressure tactic, the message asks victims to check before 5 p.m.
  • The link in the email leads to a page hosted on Google Docs. Since Google Docs is commonly used, some people might not be surprised to see a Google Docs link in an email from a colleague.
  • An email pretending to be from an organization’s security team with an email tells victims they haven’t received some ‘vital’ emails because of a storage quota issue. The message includes a link for readers to verify their information and resume email delivery.

The email link leads to a fake login page hosted on Firebase, Google’s mobile platform that enables users to create apps, host files and images, and serve user-generated content. The parent URL of the fake page – https://firebasestorage.googleapis.com – won’t be blocked by any security filters. The login screen for capturing credentials has the email address of the victim pre-entered into the first field.

Some of these tactics won’t fool a sharp-eyed — and well-trained — person if certain defences are in place. For example, if the corporate email is set up to brand messages as coming from an external (outside the company) source, then staff should realize a message purportedly coming from a colleague or another company department must be malicious.

Still, Armorblox recommends infosec staff, if they haven’t already done so to implement multifactor authentication for email accounts and have staff use an approved password manager, making sure staff don’t use common and insecure passwords; train staff to be careful with emails related to money and data and make sure all existing email security capabilities are enabled. Some security vendors may have products that can spot Google service abuse.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now