urlscan.io logo urlscan.io
SecurityTrails logo

www.armorblox.com Open in urlscan Pro
2a03:b0c0:3:d0::d23:4001  Public Scan

Back to summary
Submitted URL: https://www.armorblox.com/blog/watch-out-for-google-workspace-spear-phishing-attacks?utm_medium=email&utm_source=newslette...
Effective URL: https://www.armorblox.com/blog/watch-out-for-google-workspace-spear-phishing-attacks/?utm_medium=email&utm_source=newslett...
Submission: On January 28 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form id="mktoForm_1082" style="opacity:0" __bizdiag="196351835" __biza="W___"></form>

Text Content

Free risk assessment
 * Product
    * Overview
    * Technology
    * Integrations

 * Solutions
   By Use Case
    * Business Email Compromise
    * Email Account Compromise
    * Executive Phishing
    * Email Data Loss Prevention
    * Abuse Mailbox Remediation
   
   By Platform
    * Microsoft Office
    * Google Workspace
   
   By Industry
    * Financial Services
    * Education
    * Healthcare

 * Customers
 * Learn
    * Analyst Validation
    * Learning Center
    * Resources
    * Blog

 * Company
    * About Us
    * News

Free risk assessment
Back



WATCH OUT FOR THESE GOOGLE WORKSPACE SPEAR PHISHING ATTACKS

Written by Lauryn Cash
News and Commentary / 12.22.21

Google Workspace is a popular business collaboration tool consisting of
software, cloud computing, collaboration, and productivity tools. Last year,
Google’s G Suite passed 6 million users, second only to Microsoft’s Office 365
platform.

However, G Suite is also known to have several security gaps. Relying on Google
email security features might leave your business vulnerable to Google spear
phishing and Business Email Compromise (BEC) attacks. 

Being aware of the myriad ways your company might be at risk could help you
avoid being targeted by cybercriminals. Today we’ll look at examples of three
types of attacks that victimize Google users by:

 * Impersonating well-known brands
 * Spoofing workflows
 * Exploiting free software


1. ATTACKS THAT IMPERSONATE WELL-KNOWN BRANDS

Credential phishing is when hackers attempt to steal user credentials by posing
as a known or trusted entity in an instant message, email message, or other
written communication channel. 

Credentials generally consist of a username or user ID, PIN, password, or a
combination of all three. Hackers use stolen credentials to pilfer personal
information or sell it to third parties on the dark web for additional attacks.

Here are two examples of attacks that impersonated well-known brands.


MICROSOFT DEFENDER VISHING 

This vishing (voice phishing) attack impersonated Microsoft to steal victims’
credit card details. Additionally, an email address sent fake order receipts for
a Microsoft Defender subscription and included phone numbers to call for
processing order returns. 

Calling the listed number led to a vishing flow where the victim was instructed
to install AnyDesk for an attempted Remote Desktop Protocol (RDP) attack.

 * Email security bypassed: Google Workspace email security
 * Techniques used: Social engineering, brand impersonation, replicating
   existing workflows, vishing (no URLs in email), using a Gmail account
   address, omnichannel attack flow


ZIX CREDENTIAL PHISHING 

The Zix credential phishing attack spoofed an encrypted message notification
from Zix that tempted victims to download a malicious file onto their system.
Zix is a security technology company that provides email data loss prevention
services. Therefore, customers were more likely to trust that downloading a file
from Zix was safe.

The Zix attack was observed on multiple customer environments across Google
Workspace, Office 365, and Exchange. Although the potential account exposure of
this attack campaign was close to 75,000 mailboxes, hackers chose a select group
of employees across various departments.

Targeting a mix of employees and senior leadership members who were unlikely to
communicate with each other made this strategy especially effective.

 * Email Provider: Office 365, Google Workspace, Exchange
 * Techniques used: Social engineering, brand impersonation, replicating
   existing workflows, drive-by download, exploiting legitimate domain


2. ATTACKS THAT SPOOF WORKFLOWS

Attacks that spoof workflows duplicate existing workflows, fooling targets into
believing they’ve received legitimate communications.

These attacks are successful because they encourage victims to employ their
brain’s automatic, intuitive approach to dealing with new situations. But,
unfortunately, when you “click before you think,” you open yourself up to being
fooled by phony workflows that look legitimate.

Here are two examples of attacks that spoofed workflows.


LINKEDIN LOCKED ACCOUNT NOTIFICATION

This LinkedIn credential phishing attack was sent from a compromised university
email account that hosted its phishing page on Google Forms. The email claimed
that the victims’ LinkedIn account had been locked due to unusual activity, then
invited them to verify their accounts to restore access.

Clicking any of the email’s links leads victims to a phishing page that asks for
their LinkedIn username and password. This page, hosted on Google Forms, used
LinkedIn branding to add legitimacy. AsGoogle Forms has a high degree of trust,
the page bypassed email security technologies that filter for known suspicious
links.

 * Email Provider: Google Workspace
 * Techniques used: Social engineering, brand impersonation, replicating
   existing workflows, email account takeover, using free online services, using
   security themes


TAX SCAM USING TYPEFORM

This tax scam used Typeform, popular software specializing in online surveys and
form building, within its attack flow. 

The attack attempted to harvest victims’ email account credentials by forcing
numerous logins, which were repeatedly invalidated. This brute force method was
a tricky way to gather as many account IDs and passwords from unsuspecting
victims as possible.

 * Email security bypassed: Google Workspace email security
 * Techniques used: Social engineering, replicating existing workflows,
   exploiting free online software to create phishing pages, using security
   themes


3. ATTACKS THAT EXPLOIT BUSINESS WORKFLOWS

These attacks are successful because they use legitimate domains to create
phishing emails and pages that target a business workflow. They use the lure of
free goods to create phishing emails and pages, tricking both end-users and
security software into believing the communication is legitimate. 

Here are two examples of attacks that exploit free software.


HOSTING PHISHING PAGES USING GLITCH AND GODADDY

This PayPal credential phishing attack exploited legitimate services from both
Glitch and GoDaddy in its phishing flow. The phishing email claimed that the
victims’ PayPal account profile was incomplete or outdated and included a link
to restore account access. You can probably see where this is going by now …

The parent domain of the phishing page was created using Glitch. Glitch is a
low-code software that enables you to develop a web project and “launch it on a
secure URL in under a minute,” according to their website. 

Unfortunately, attackers often exploit services like these meant to make work
easier but unintentionally lower the bar for cybercriminals to launch
large-scale phishing attacks.

 * Email Provider: Google Workspace
 * Techniques used: Social engineering, brand impersonation, replicating
   existing workflows, using free online services


USING FREE GOOGLE SERVICES 

G Suite has helped millions of people simplify and share their work. But,
unfortunately, cybercriminals exploit Google’s open platform to defraud
individuals and organizations of money and sensitive information.

Armorblox has seen a sharp increase in attackers using free Google services to
get emails past binary security filters based on keywords or URLs. If
successful, these email attacks using Google services could have potentially
impacted tens of thousands of mailboxes within Armorblox’s customer environments
alone.

American Express credential phishing, security team impersonations, and payslip
scams are just a few examples of phishing campaigns that used Google technology
to take advantage of unsuspecting victims.

 * Google services used: Forms, Firebase, Docs, Sites
 * Techniques used: Social engineering, brand impersonation


LEVELING UP G SUITE EMAIL SECURITY WITH ARMORBLOX

As these examples indicate, Google Workspace's native security features weren’t
enough to protect against advanced types of credential phishing and spear
phishing attacks. 

To augment existing email security capabilities, your business should invest in
technologies that take a materially different approach to threat detection.
Adding an extra layer of protection like Armorblox helps defend your business
and your human layer from sensitive data exposure and fraud.

Want to learn more about spear phishing, Business Email Compromise (BEC), and
0-Day credential phishing attacks? Follow us on our social media channels, or
subscribe to our email updates to stay informed on our advanced threat research.

Join Mailing List


ARMORBLOGS

Blogs from Armorblox. We couldn't resist the portmanteau.


Follow Us


--------------------------------------------------------------------------------


READ THIS NEXT


PEACE OF MIND FOR FINANCIAL ADVISORS: OUR WORK WITH FIDELITY INSTITUTIONAL

News and Commentary / 9.16.21


YOU'VE GOT A PHISH PACKAGE: FEDEX AND DHL EXPRESS PHISHING ATTACKS

Threat Research / 2.23.21


ADDRESSING EMAIL SECURITY'S FALSE POSITIVE PROBLEM

News and Commentary / 11.9.20


CUSTOMER STORY: CUTTING THROUGH THE NOISE

Customer Success Stories / 3.4.21

Armorblox secures enterprise communications over email and other cloud office
applications with the power of Natural Language Understanding. The Armorblox
platform connects over APIs and analyzes thousands of signals to understand the
context of communications and protect people and data from compromise. Over
56,000 organizations use Armorblox to stop BEC and targeted phishing attacks,
protect sensitive PII and PCI, and automate remediation of user-reported email
threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a
2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is
headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.

 * Product
   * Overview
   * Technology
   * Integrations
 * Solutions
   * Business Email Compromise
   * Email Account Compromise
   * Executive Phishing
   * Email Data Loss Prevention
   * Abuse Mailbox Remediation
 * Armorblox
   * Customers
   * Resources
   * Blog
 * Company
   * About Us
   * News
   * Careers

--------------------------------------------------------------------------------

© 2021 Armorblox. All Rights Reserved. Privacy Policy.


--------------------------------------------------------------------------------