Cybercriminals have escalated their tactics by exploiting Google Apps Script, a trusted development platform, to host sophisticated phishing campaigns that bypass traditional security measures.<\/p>\n
This emerging threat represents a significant shift in how attackers leverage legitimate infrastructure to enhance the credibility of their malicious operations<\/a>.<\/p>\n The latest campaign targets unsuspecting users through deceptive invoice emails that appear to originate from legitimate disability and health equipment providers.<\/p>\n These carefully crafted messages contain minimal content to avoid triggering spam filters while creating urgency that prompts immediate action from recipients.<\/p>\n The attackers deliberately exploit the inherent trust users place in communications that appear business-related and time-sensitive.<\/p>\n Cofense analysts identified<\/a> this sophisticated phishing operation through their Phishing Defense Center, revealing how threat actors have weaponized Google\u2019s own infrastructure to create an illusion of authenticity.<\/p>\n By hosting malicious content on script.google.com domains, attackers effectively circumvent many security solutions that typically whitelist Google services<\/a>, making detection significantly more challenging for both automated systems and end users.<\/p>\n The campaign\u2019s impact extends beyond simple credential theft, as successful attacks provide cybercriminals with access to corporate email systems and sensitive organizational data.<\/p>\n The use of Google\u2019s trusted environment dramatically increases the likelihood of successful compromise, as users are conditioned to trust Google-hosted content without scrutiny.<\/p>\n The attack unfolds through a carefully orchestrated sequence designed to maximize victim engagement while minimizing suspicion.<\/p>\n Initial infection begins when recipients click the \u201cView Invoice\u201d link in the spoofed email, which redirects them to a Google Apps<\/a> Script-hosted page displaying what appears to be a legitimate electronic fax download interface.<\/p>\n The critical transition occurs when users click the \u201cPreview\u201d button, triggering the deployment of a fraudulent login window that mimics authentic Microsoft authentication<\/a> interfaces.<\/p>\n Once credentials are entered, a PHP script immediately captures and transmits the data to attacker-controlled servers before seamlessly redirecting victims to a legitimate Microsoft login page<\/a> to maintain the deception.<\/p>\n This final redirection serves as psychological camouflage, leaving victims unaware that their credentials have been compromised while providing attackers with immediate access to corporate systems and sensitive information.<\/p>\n Celebrate 9 years of ANY.RUN!\u00a0Unlock the full power of<\/strong>\u00a0TI Lookup plan (100\/300\/600\/1,000+ search requests),\u00a0and\u00a0your request quota will double<\/a>.<\/strong><\/p>\n The post Threat Actors Leverage Google Apps Script To Host Phishing Websites<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMulti-Stage Infection Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2OyDbwKKn477WuYffylVKyCfUHNsFhtNxMaXfCwt3tCrXMGHpk4YBZEvRBzKWpGX6KUGZiBrGD2r82U79s2R0GYKHt6MTmJZvyk36j4rQCk8oTtefOG052o_lDAev-YcGW-ylzyMBwx-2NC4FzSdS0BeMRFK0ORCQQ-yJWIj0kJ9DLOE1VzIf94HQdU4\/s16000\/Email%2520Body%2520%28Source%2520-Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsEfSPHiYR3zq-tE_1SCM7kCAWBA1fhtFMDNnS9AviWn-AI45Cvf59glkz_7VIUtn2dXuADldlf4xnhwbTYnwbTjnU4goPpsvin5-v4LR-nSrPD6vPSlI_Bs8PJ0e3NbMnmQGE8dZkAiRjT9TsIw5GtQrrJDC6aHeKmC-jBPKpy2OoWyQGap6iH5M9ddw\/s16000\/Fake%2520Invoice%2520Page%2520%28Source%2520-Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8GJc-ssEh6RTqLSiPgEnAnjdUHb5H6hJbYnGzI_Zn_SGj_02OgmYhoulPvWdywsDW5PagkLsdzzDy_6gZfuXohi8lJUJVVgkIcbHy27_3eJgip-qiHL4AXsEuMkqPZk8Ygap1NWS4LwxxMiAf4NoQOAJfi71ykNUojoCDkYgR9MIBWJ6c8JIFW0RGCco\/s16000\/Phishing%2520Page%2520%28Source%2520-Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjKgV2TFnaE8hc_V3F_-SaUuD6ejioh1DQ2wQeLuDkp14zHCwvxBNA9NlI12QUeiAX_H_Sq6oZfD_ZTgLQSmdhckYeJTizaiMPfJws3_PflBqmaeqea1MlPz7JHKjRunHy5RSdxodZzP-T6a1xET3KWfAqzDIo6IHHCK2joFfUhNwyX9Xi0lFdUzHiSMW4\/s16000\/Final%2520redirect%2520page%2520%28Source%2520-Cofense%29.webp?ssl=1\")