www.armorblox.com Open in urlscan Pro
2600:1f18:2489:8202:1542:e5:19c0:d28b  Public Scan

Form analysis
2 forms found in the DOM

<form id="mktoForm_1082" __bizdiag="196351835" __biza="W___" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" data-styles-ready="true" style="opacity: 1;">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
      color: #fff;
      border: 1px solid #75ae4c;
      padding: 0.4em 1em;
      font-size: 1em;
      background-color: #99c47c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
      background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
      background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
      background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
      outline: none;
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
      background-color: #75ae4c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
      background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
      background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
      background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol">
      <div class="mktoOffset"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
          <div class="mktoAsterix">*</div>Email:
        </label>
        <div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
          data-personalize-email="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-personalize-button="true">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1082"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="176-XMJ-030">
</form>

<form style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" __bizdiag="-748094928" __biza="W___"
  novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"></form>

Text Content

Free risk assessment
 * Product
    * Overview
    * Technology
    * Integrations

 * Solutions
   By Use Case
    * Business Email Compromise
    * Email Account Compromise
    * Executive Phishing
    * Email Data Loss Prevention
    * Abuse Mailbox Remediation
   
   By Platform
    * Microsoft Office
    * Google Workspace
   
   By Industry
    * Financial Services
    * Education
    * Healthcare

 * Customers
 * Learn
    * Analyst Validation
    * Learning Center
    * Resources
    * Blog

 * Company
    * About Us
    * News

Free risk assessment
Back



OK GOOGLE, BUILD ME A PHISHING CAMPAIGN

Written by Arjun Sambamoorthy
Threat Research / 11.19.20

Google’s mail, workplace productivity, and other business services have helped
millions of people simplify and share their work. Open APIs, extensible
integrations, and developer-friendly tools mean that entire virtual offices -
complete with virtual workflows - can exist in a Google ecosystem.
Unfortunately, Google’s open and democratized nature is being exploited by
cybercriminals to defraud individuals and organizations of money and sensitive
data.

The Armorblox threat research team has seen a sharp uptick in attackers using
Google services to help them get emails past binary security filters based on
keywords or URLs. In this blog, we will outline five targeted phishing campaigns
that weaponize various Google services during their attack flow. These attacks
are representative but in no way exhaustive - they are the tip of a deep
iceberg. If successful, these email attacks using Google services could have
potentially impacted tens of thousands of mailboxes within Armorblox customer
environments alone.

--------------------------------------------------------------------------------


1. AMERICAN EXPRESS CREDENTIAL PHISHING



Fig: Summary of the American Express credential phishing attack


ATTACK SUMMARY

A credential phishing email impersonating American Express Customer Care that
informs readers that they left out providing some information while validating
their card. The email includes a link where readers can fill in this information
and validate their card.


GOOGLE SERVICE USED

The phishing page in the email is hosted on a Google form with a smattering of
American Express branding. This fairly long form asks victims for their American
Express login credentials, card details, and even their mother’s maiden name
(which is a common security question).



Fig: Phishing page for the AmEx attack was hosted on a Google form

Hosting the phishing page on a Google form helps the initial email evade any
security filters that block known bad links or domains. Since Google’s domain is
inherently trustworthy and Google forms are used for several legitimate reasons,
no email security filter would realistically block this link on day zero.


OTHER TECHNIQUES USED

 * Impersonation: American Express Customer Care
 * Social engineering: Time-bound request to validate AmEx card by providing
   personal information

--------------------------------------------------------------------------------


2. BENEFACTOR SCAM RECONNAISSANCE



Fig: Benefactor scam email with a Google form link


ATTACK SUMMARY

Cybercriminals impersonate a childless widow who wants to part with large sums
of money but has nowhere to disburse it. The email asks people interested to
receive money to either click the link in the email or send a reply to the
address included in the email body.


GOOGLE SERVICE USED

The link in the email leads to a seemingly empty Google form with an untitled
question and one answer option (Option 1). At first glance, it seems the
attackers have been lazy or negligent, but this is a common reconnaissance
technique employed at the start of targeted email attacks.

Many people will feel the email is suspicious after going through the content
and visiting this dummy form. But some people will submit the only option
allowed by the form, or they will send a reply to the address provided in the
email. This allows attackers to shortlist the most naive and emotionally
susceptible email recipients, who will be prime targets for follow-up emails
from the childless widow.

Fig: Empty Google form used as a reconnaissance technique

Just like the earlier American Express credential phishing attack, hosting the
phishing page on a Google form here helps the initial email evade any security
filters that block known bad links or domains.


OTHER TECHNIQUES USED

 * Impersonation
 * Social engineering: Emotional request from a widow, temptation of large sums
   of money.

--------------------------------------------------------------------------------


3. SECURITY TEAM IMPERSONATION


ATTACK SUMMARY

Cybercriminals impersonate an organization’s security administrator team with an
email that informs readers that they haven’t received some ‘vital’ emails
because of a storage quota issue. The mail body includes a link for readers to
verify their information and resume email delivery.

A snapshot of the email is given below. We have used a fictional organization
called Foxtrot to showcase this email.

Fig: Email impersonating the security team with an email delivery failure
message


GOOGLE SERVICE USED

The link in the email leads to a fake login page hosted on Firebase, Google’s
mobile platform that enables users to create apps, host files and images, and
serve user-generated content.

The parent URL of the page - https://firebasestorage.googleapis.com - won’t be
blocked by any security filters due to its inherent legitimacy.

The login screen is simple, with the email address of the victim pre entered
into the first field. Imitating ‘quick fill’ techniques used by forms on
legitimate websites is commonly used by cybercriminals to lull victims into a
false sense of security.

Fig: Phishing page hosted on Firebase Storage


OTHER TECHNIQUES USED

 * Impersonation: security administrator team.
 * Social engineering: Email focuses on failure to deliver ‘vital’ messages and
   includes a link to resume email delivery. The email body includes negative
   repercussions for lack of action (failure to verify your email account will
   lead to suspension and lost data).
 * Link redirections: the URL in the email goes through one redirection before
   landing on the Firebase hosted page, obfuscating the attack flow for any
   security technology that attempts to follow the URL to its final destination.

--------------------------------------------------------------------------------


4. PAYSLIP SCAM


ATTACK SUMMARY

Cybercriminals impersonate an organization’s payroll team and send an email with
payslip details to victims. The email points readers to a link for them to check
if their personal information for the payslip is accurate. A time-bound request
to check the email link adds urgency and is likely to make victims click without
thinking.

This is a variant of the more classic payroll diversion fraud, where
cybercriminals impersonate employees and try to divert payroll funds to their
own accounts.

Fig: Payslip scam email with a Google Docs link


GOOGLE SERVICE USED

The link in the email leads to a page hosted on Google Docs. Since Google Docs
is ever present in our daily lives, the average recipient wouldn’t be surprised
to see a Google Docs link in an email from a colleague. It won’t be blocked by
any email security filter either - not on Day 0, at any rate. Using a Google Doc
in this email is meant to trick both the recipient’s eye test and traditional
security layers.

Fig: The link in the email leads to a Google Doc that claims to contain payslip
information


OTHER TECHNIQUES USED

 * Impersonation: Payroll team.
 * Targeted email: The email title and body have the recipient’s name to
   increase legitimacy.
 * Social engineering: Finance-related email with a time-bound request to take
   action (check if your personal data is correct by 5pm).
 * Link redirections: The email links to the Google Doc, which further redirects
   to the final phishing page (which has now been taken down). These
   redirections obfuscate link detection technologies from identifying the URL
   as malicious.

--------------------------------------------------------------------------------


5. MICROSOFT TEAMS CREDENTIAL PHISHING

Fig: Summary of the Microsoft Teams credential phishing attack


ATTACK SUMMARY

This email claimed to come from the company’s IT team and asked readers to
review a secure message their colleagues had shared over Microsoft Teams, a
popular business collaboration solution. Clicking the link took the targets to a
page resembling Microsoft Teams, which further redirected to the credential
phishing site resembling the Office 365 login portal.

Visit this link if you’d like to learn more about this credential phishing
attack.


GOOGLE SERVICE USED

The Office 365 login portal was hosted on Google Sites, a wiki and web page
creation tool that lowers the skill bar needed to create websites. The malice of
the page’s intent was hidden behind the legitimacy of the page’s domain. This
page would pass most eye tests during busy mornings (which is when the email was
sent out), with people happily assuming it to be a legitimate Microsoft page.

Fig: Phishing page for the Microsoft Teams attack was hosted on Google Sites


OTHER TECHNIQUES USED

 * Impersonation: IT team + Microsoft Teams
 * Social engineering: Request to view ‘secure’ messages sent over Microsoft
   Teams

--------------------------------------------------------------------------------


GUIDANCE AND RECOMMENDATIONS


1. FOLLOW 2FA AND PASSWORD MANAGEMENT BEST PRACTICES

Since all workplace accounts are so closely interlinked, losing access to your
Google account can prove to be very dangerous as cybercriminals send emails in
your name to your customers, partners, and loved ones. If you haven’t already,
follow these hygiene best practices:

 * Deploy two-factor authentication (2FA) on all possible business and personal
   accounts.
 * Use a password manager to store your various account passwords.
 * Don’t repeat passwords across accounts or use generic passwords such as your
   birth date, ‘password123’, ‘YourName123’ etc.


2. SUBJECT SENSITIVE EMAILS TO RIGOROUS EYE TESTS

Whenever possible, engage with emails related to money and data in a rational
manner. Subject the email to an eye test that includes inspecting the sender
name, sender email address, language within the email, and any logical
inconsistencies within the email (e.g. why is this childless widow willing to
send me millions of dollars?).


3. CREATE YOUR OWN LINES OF AUTHENTICATION

You should try to replicate 2FA, even if in a loose sense, for any email that
makes unusual requests related to money or data. For example, did your HR rep
just email you some payroll details with a Google Doc requesting more
information urgently? Call or text the HR rep and confirm that they sent the
email. Even if your colleagues are very busy, they will understand and
appreciate your caution.


4. AUGMENT NATIVE EMAIL THREAT DETECTION WITH ADDITIONAL CONTROLS

To augment existing email security capabilities (e.g. Exchange Online Protection
for Office 365 or the Advanced Protection Program for G Suite), organizations
should invest in technologies that take a materially different approach to
threat detection. Rather than searching through static lists and blocking known
bad domains, these technologies should learn from custom organizational data and
be able to stop socially engineered threats that contain zero-day payloads like
Google Forms, Docs, or pages built on Google Sites.

--------------------------------------------------------------------------------

For more email security threat research, news, and industry guidance, sign up
for email updates from Armorblox below. We promise to only email you useful
information. We also promise not to include any Google Docs or Forms in these
emails that ask for your personal information, although that should go without
saying :-)

Join Armorblox Mailing List


ARMORBLOGS

Blogs from Armorblox. We couldn't resist the portmanteau.

*
Email:




Subscribe
Follow Us


--------------------------------------------------------------------------------


READ THIS NEXT


GARTNER RELEASES 2020 MARKET GUIDE FOR EMAIL SECURITY

News and Commentary / 9.15.20


ARMORBLOX IS OFFICIALLY COOL: HERE'S WHY

News and Commentary / 5.6.20


ADDRESSING EMAIL SECURITY'S FALSE POSITIVE PROBLEM

News and Commentary / 11.9.20


BLOX TALES #7: BANK OF AMERICA CREDENTIAL PHISHING

Threat Research / 6.18.20


5 TIPS TO REDUCE THE RISK OF EMAIL IMPERSONATION ATTACKS

News and Commentary / 7.30.21


BLOX TALES #4: VENDOR EMAIL FRAUD + OFFICE 365 CREDENTIAL PHISHING

Threat Research / 5.11.20

Armorblox secures enterprise communications over email and other cloud office
applications with the power of Natural Language Understanding. The Armorblox
platform connects over APIs and analyzes thousands of signals to understand the
context of communications and protect people and data from compromise. Over
56,000 organizations use Armorblox to stop BEC and targeted phishing attacks,
protect sensitive PII and PCI, and automate remediation of user-reported email
threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a
2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is
headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.

 * Product
   * Overview
   * Technology
   * Integrations
 * Solutions
   * Business Email Compromise
   * Email Account Compromise
   * Executive Phishing
   * Email Data Loss Prevention
   * Abuse Mailbox Remediation
 * Armorblox
   * Customers
   * Resources
   * Blog
 * Company
   * About Us
   * News
   * Careers

--------------------------------------------------------------------------------

© 2021 Armorblox. All Rights Reserved. Privacy Policy.


--------------------------------------------------------------------------------