Cybercriminals are now using Google Apps Script to host phishing sites that mimic legitimate login pages, aiming to steal user credentials.
Security researchers at Cofense discovered that attackers send emails posing as invoices, linking victims to fake login forms hosted on Google's trusted “script.google.com” domain.
Because this domain is commonly allowlisted, the phishing links often bypass security filters. Once users input their credentials, the data is silently sent to the attacker, and the victim is redirected to the real site to avoid suspicion.
This method allows attackers to alter the script or change lures without resending new emails, making their campaigns more adaptable and harder to detect.
Google Apps Script’s accessibility and trusted reputation make it an appealing tool for abuse in phishing operations.
Experts recommend strengthening email security policies to flag or restrict access to such links as a precaution.
Read more...