Google Apps Script Hijacked: Hackers Deploy Fake Invoices to Steal Your Microsoft 365 Login

In a cunning new phishing campaign, cybercriminals are exploiting Google Apps Script to host deceptive fake invoices, ultimately aiming to pilfer valuable Microsoft 365 login credentials. Cybersecurity researchers at Cofense have recently flagged this emerging threat, highlighting how attackers are leveraging legitimate Google infrastructure to appear more convincing.

The attack unfolds in a multi-stage process designed to trick unsuspecting users. Here’s how these hackers are turning a trusted Google service into a weapon:

1. The Lure: A Familiar Fake Invoice Email
   It starts with a classic phishing email, masquerading as a notification for an invoice. The email contains a link, but here’s the clever twist: hovering over or clicking this link reveals it points to script.google.com. This use of a genuine Google domain can easily create a false sense of security, making victims believe the invoice is hosted by Google or an affiliated, trustworthy service.

2. The Bait: The “Pending Download” Page
   Clicking the link doesn’t immediately take you to a login form. Instead, users are redirected to a small landing page hosted on Google Apps Script. This page typically states something innocuous like, “you have one pending download available,” accompanied by a “preview” button.

3. The Trap: The Phony Microsoft 365 Login
   This “preview” button is the gateway to the actual malicious page. Attackers have meticulously crafted a fake Microsoft 365 login page, mimicking the official portal down to the smallest details. Victims who fail to spot the deception and attempt to log in will unknowingly send their username and password directly to the threat actors.

4. The Cover-Up: Seamless Redirection
   To further conceal their tracks and prevent immediate suspicion, once the credentials are submitted, the malicious page cleverly redirects the user back to the actual Microsoft 365 website. The victim might simply assume a momentary glitch, unaware their data has been compromised.

Why Google Apps Script?

Google Apps Script is a powerful cloud-based scripting platform. It allows users to automate tasks and extend the functionality of Google Workspace applications like Gmail, Docs, Sheets, and Drive using JavaScript. For instance, a business might use it to automatically send personalized email updates from a Google Sheet. It’s this legitimate, widespread utility that makes it an attractive target for abuse by cybercriminals looking to piggyback on trusted domains.

“Phishing emails like these are a good example of how attackers take advantage of legitimate domains to make their scams look more convincing,” warned Cofense researchers. They emphasize the critical need for ongoing vigilance and employee education regarding the ever-evolving risks of phishing attacks.

Protecting Your Microsoft 365 Credentials

This latest campaign underscores a vital cybersecurity principle: always scrutinize URLs, even if they appear to originate from a known service.

• Verify the full URL: Before entering credentials, ensure the entire domain name is correct and not just a subdomain of a legitimate service being abused.

• Beware of unexpected redirects: If you’re unexpectedly asked to log in after clicking a link in an email, be highly suspicious.

• Enable Multi-Factor Authentication (MFA): MFA adds an essential layer of security to your Microsoft 365 account, making it much harder for attackers to gain access even if they steal your password.

• Educate and Train: Businesses should continuously educate employees on identifying phishing attempts and safe online practices.

As hackers refine their techniques, staying informed and cautious is your best defense against falling victim to these sophisticated scams targeting your sensitive Microsoft 365 data.