Hackers are using Google services to bypass email defence, researchers warn


Threat actors are increasingly using Google services such as Forms, Firebase and Sites to get around email defences that look for suspicious code and URLs, security vendor Armorblox has warned.

In a blog released this morning, the company said infosec pros need to tailor their strategies to prepare for these deceptions, especially if their organization uses free Gmail or GSuite.

Here are several examples of attackers’ tactics Armorblox has seen:

  • An email claims to come from a company’s IT team and asks readers to review a secure message their colleagues had shared over Microsoft Teams. Clicking the link takes victims to a page resembling Microsoft Teams, which then when to a credential phishing site resembling the Office 365 login portal.
  • The Office 365 login portal was hosted on Google Sites, a wiki and web page creation tool. Victims may be fooled by the legitimacy of the page’s domain, which starts “sites.google.com.”
  • An email impersonating an organization’s payroll team goes to named employees with payslip details, asking them to click on a link and check if their personal information for the payslip is accurate. As an extra pressure tactic, the message asks victims to check before 5 p.m.
  • The link in the email leads to a page hosted on Google Docs. Since Google Docs is commonly used, some people might not be surprised to see a Google Docs link in an email from a colleague.
  • An email pretending to be from an organization’s security team with an email tells victims they haven’t received some ‘vital’ emails because of a storage quota issue. The message includes a link for readers to verify their information and resume email delivery.

The email link leads to a fake login page hosted on Firebase, Google’s mobile platform that enables users to create apps, host files and images, and serve user-generated content. The parent URL of the fake page – https://firebasestorage.googleapis.com – won’t be blocked by any security filters. The login screen for capturing credentials has the email address of the victim pre-entered into the first field.

Some of these tactics won’t fool a sharp-eyed — and well-trained — person if certain defences are in place. For example, if the corporate email is set up to brand messages as coming from an external (outside the company) source, then staff should realize a message purportedly coming from a colleague or another company department must be malicious.

Still, Armorblox recommends infosec staff, if they haven’t already done so to implement multifactor authentication for email accounts and have staff use an approved password manager, making sure staff don’t use common and insecure passwords; train staff to be careful with emails related to money and data and make sure all existing email security capabilities are enabled. Some security vendors may have products that can spot Google service abuse.


Please enter your comment!
Please enter your name here