Phishing attempts are evolving, with cybercriminals constantly developing new strategies to bypass security measures. A recent phishing campaign underscores how trust in major tech platforms can be exploited for malicious purposes.
Hackers have begun embedding harmful links within a chain of legitimate Google services to evade detection by automated email security systems. This sophisticated method allows these links to bypass security checks and reach users’ inboxes unnoticed.
Complex Phishing Techniques Using Google Services
The attackers utilize a technique that involves layering multiple trusted Google domains within a single link. Security systems, upon scanning such emails, detect only familiar and trusted Google URLs, missing the hidden phishing page that is revealed only when a user clicks the link.
According to KnowBe4 ThreatLabs researchers, this campaign employs a unique triple-chain delivery method that effectively avoids detection. The method involves routing through Google Meet, Google Search Redirect, and Google Ad Service, guiding victims to malicious sites without triggering security alarms.
Deceptive Lures and Phishing Tactics
The phishing emails are crafted to create a sense of urgency, often mimicking FedEx delivery notifications, DocuSign requests, Microsoft 365 password expiration alerts, fraudulent payment notices, and emails with malicious QR codes. These tactics are designed to prompt immediate action from the recipients.
Upon clicking the link, victims may be directed to a realistic Microsoft 365 login page with their email pre-filled, facilitating credential theft. Alternatively, they might encounter a fake OneDrive document containing a pre-generated Microsoft device code, which, if used, grants attackers access to the corporate account.
Security Measures and Recommendations
The core of this attack method is the “Nested Delivery Matrix,” which masks the ultimate destination by passing through three Google-owned domains. Secure Email Gateways, upon inspection, find nothing suspicious due to Google’s clean reputation scores, allowing these emails to pass unchecked.
Once at the phishing site, the attack can result in either credential harvesting through a fake login page or session hijacking via a device code. This dual threat underscores the importance of vigilance and enhanced security measures.
Security experts recommend scrutinizing emails with redirect chains, even those involving trusted domains. Training employees to verify links, identify pre-populated login forms, and report suspicious activities is crucial. Implementing conditional access policies and blocking unfamiliar redirect patterns can also mitigate the risk of such attacks.
Indicators of Compromise (IoCs) include various attacker-controlled domains and malicious Cloudflare Worker URLs, which security teams should monitor. These IoCs are defanged to prevent accidental resolution and should be handled within secure threat intelligence platforms.
