www.armorblox.com
Open in
urlscan Pro
2a03:b0c0:3:d0::d23:4001
Public Scan
Submitted URL: https://www.armorblox.com/blog/watch-out-for-google-workspace-spear-phishing-attacks?utm_medium=email&utm_source=newslette...
Effective URL: https://www.armorblox.com/blog/watch-out-for-google-workspace-spear-phishing-attacks/?utm_medium=email&utm_source=newslett...
Submission: On January 28 via manual from US — Scanned from DE
Effective URL: https://www.armorblox.com/blog/watch-out-for-google-workspace-spear-phishing-attacks/?utm_medium=email&utm_source=newslett...
Submission: On January 28 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOM<form id="mktoForm_1082" style="opacity:0" __bizdiag="196351835" __biza="W___"></form>
Text Content
Free risk assessment * Product * Overview * Technology * Integrations * Solutions By Use Case * Business Email Compromise * Email Account Compromise * Executive Phishing * Email Data Loss Prevention * Abuse Mailbox Remediation By Platform * Microsoft Office * Google Workspace By Industry * Financial Services * Education * Healthcare * Customers * Learn * Analyst Validation * Learning Center * Resources * Blog * Company * About Us * News Free risk assessment Back WATCH OUT FOR THESE GOOGLE WORKSPACE SPEAR PHISHING ATTACKS Written by Lauryn Cash News and Commentary / 12.22.21 Google Workspace is a popular business collaboration tool consisting of software, cloud computing, collaboration, and productivity tools. Last year, Google’s G Suite passed 6 million users, second only to Microsoft’s Office 365 platform. However, G Suite is also known to have several security gaps. Relying on Google email security features might leave your business vulnerable to Google spear phishing and Business Email Compromise (BEC) attacks. Being aware of the myriad ways your company might be at risk could help you avoid being targeted by cybercriminals. Today we’ll look at examples of three types of attacks that victimize Google users by: * Impersonating well-known brands * Spoofing workflows * Exploiting free software 1. ATTACKS THAT IMPERSONATE WELL-KNOWN BRANDS Credential phishing is when hackers attempt to steal user credentials by posing as a known or trusted entity in an instant message, email message, or other written communication channel. Credentials generally consist of a username or user ID, PIN, password, or a combination of all three. Hackers use stolen credentials to pilfer personal information or sell it to third parties on the dark web for additional attacks. Here are two examples of attacks that impersonated well-known brands. MICROSOFT DEFENDER VISHING This vishing (voice phishing) attack impersonated Microsoft to steal victims’ credit card details. Additionally, an email address sent fake order receipts for a Microsoft Defender subscription and included phone numbers to call for processing order returns. Calling the listed number led to a vishing flow where the victim was instructed to install AnyDesk for an attempted Remote Desktop Protocol (RDP) attack. * Email security bypassed: Google Workspace email security * Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail account address, omnichannel attack flow ZIX CREDENTIAL PHISHING The Zix credential phishing attack spoofed an encrypted message notification from Zix that tempted victims to download a malicious file onto their system. Zix is a security technology company that provides email data loss prevention services. Therefore, customers were more likely to trust that downloading a file from Zix was safe. The Zix attack was observed on multiple customer environments across Google Workspace, Office 365, and Exchange. Although the potential account exposure of this attack campaign was close to 75,000 mailboxes, hackers chose a select group of employees across various departments. Targeting a mix of employees and senior leadership members who were unlikely to communicate with each other made this strategy especially effective. * Email Provider: Office 365, Google Workspace, Exchange * Techniques used: Social engineering, brand impersonation, replicating existing workflows, drive-by download, exploiting legitimate domain 2. ATTACKS THAT SPOOF WORKFLOWS Attacks that spoof workflows duplicate existing workflows, fooling targets into believing they’ve received legitimate communications. These attacks are successful because they encourage victims to employ their brain’s automatic, intuitive approach to dealing with new situations. But, unfortunately, when you “click before you think,” you open yourself up to being fooled by phony workflows that look legitimate. Here are two examples of attacks that spoofed workflows. LINKEDIN LOCKED ACCOUNT NOTIFICATION This LinkedIn credential phishing attack was sent from a compromised university email account that hosted its phishing page on Google Forms. The email claimed that the victims’ LinkedIn account had been locked due to unusual activity, then invited them to verify their accounts to restore access. Clicking any of the email’s links leads victims to a phishing page that asks for their LinkedIn username and password. This page, hosted on Google Forms, used LinkedIn branding to add legitimacy. AsGoogle Forms has a high degree of trust, the page bypassed email security technologies that filter for known suspicious links. * Email Provider: Google Workspace * Techniques used: Social engineering, brand impersonation, replicating existing workflows, email account takeover, using free online services, using security themes TAX SCAM USING TYPEFORM This tax scam used Typeform, popular software specializing in online surveys and form building, within its attack flow. The attack attempted to harvest victims’ email account credentials by forcing numerous logins, which were repeatedly invalidated. This brute force method was a tricky way to gather as many account IDs and passwords from unsuspecting victims as possible. * Email security bypassed: Google Workspace email security * Techniques used: Social engineering, replicating existing workflows, exploiting free online software to create phishing pages, using security themes 3. ATTACKS THAT EXPLOIT BUSINESS WORKFLOWS These attacks are successful because they use legitimate domains to create phishing emails and pages that target a business workflow. They use the lure of free goods to create phishing emails and pages, tricking both end-users and security software into believing the communication is legitimate. Here are two examples of attacks that exploit free software. HOSTING PHISHING PAGES USING GLITCH AND GODADDY This PayPal credential phishing attack exploited legitimate services from both Glitch and GoDaddy in its phishing flow. The phishing email claimed that the victims’ PayPal account profile was incomplete or outdated and included a link to restore account access. You can probably see where this is going by now … The parent domain of the phishing page was created using Glitch. Glitch is a low-code software that enables you to develop a web project and “launch it on a secure URL in under a minute,” according to their website. Unfortunately, attackers often exploit services like these meant to make work easier but unintentionally lower the bar for cybercriminals to launch large-scale phishing attacks. * Email Provider: Google Workspace * Techniques used: Social engineering, brand impersonation, replicating existing workflows, using free online services USING FREE GOOGLE SERVICES G Suite has helped millions of people simplify and share their work. But, unfortunately, cybercriminals exploit Google’s open platform to defraud individuals and organizations of money and sensitive information. Armorblox has seen a sharp increase in attackers using free Google services to get emails past binary security filters based on keywords or URLs. If successful, these email attacks using Google services could have potentially impacted tens of thousands of mailboxes within Armorblox’s customer environments alone. American Express credential phishing, security team impersonations, and payslip scams are just a few examples of phishing campaigns that used Google technology to take advantage of unsuspecting victims. * Google services used: Forms, Firebase, Docs, Sites * Techniques used: Social engineering, brand impersonation LEVELING UP G SUITE EMAIL SECURITY WITH ARMORBLOX As these examples indicate, Google Workspace's native security features weren’t enough to protect against advanced types of credential phishing and spear phishing attacks. To augment existing email security capabilities, your business should invest in technologies that take a materially different approach to threat detection. Adding an extra layer of protection like Armorblox helps defend your business and your human layer from sensitive data exposure and fraud. Want to learn more about spear phishing, Business Email Compromise (BEC), and 0-Day credential phishing attacks? Follow us on our social media channels, or subscribe to our email updates to stay informed on our advanced threat research. Join Mailing List ARMORBLOGS Blogs from Armorblox. We couldn't resist the portmanteau. Follow Us -------------------------------------------------------------------------------- READ THIS NEXT PEACE OF MIND FOR FINANCIAL ADVISORS: OUR WORK WITH FIDELITY INSTITUTIONAL News and Commentary / 9.16.21 YOU'VE GOT A PHISH PACKAGE: FEDEX AND DHL EXPRESS PHISHING ATTACKS Threat Research / 2.23.21 ADDRESSING EMAIL SECURITY'S FALSE POSITIVE PROBLEM News and Commentary / 11.9.20 CUSTOMER STORY: CUTTING THROUGH THE NOISE Customer Success Stories / 3.4.21 Armorblox secures enterprise communications over email and other cloud office applications with the power of Natural Language Understanding. The Armorblox platform connects over APIs and analyzes thousands of signals to understand the context of communications and protect people and data from compromise. Over 56,000 organizations use Armorblox to stop BEC and targeted phishing attacks, protect sensitive PII and PCI, and automate remediation of user-reported email threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a 2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is headquartered in Sunnyvale, CA and backed by General Catalyst and Next47. * Product * Overview * Technology * Integrations * Solutions * Business Email Compromise * Email Account Compromise * Executive Phishing * Email Data Loss Prevention * Abuse Mailbox Remediation * Armorblox * Customers * Resources * Blog * Company * About Us * News * Careers -------------------------------------------------------------------------------- © 2021 Armorblox. All Rights Reserved. Privacy Policy. --------------------------------------------------------------------------------