Behind the Script: Unmasking Phishing Attacks Using Google Apps Script
A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake invoice page, followed by a fraudulent login window designed to capture credentials. The use of Google's domain (script.google.com) adds credibility to the scam, making it more likely for users to fall victim. Once credentials are entered, they are transmitted to the attacker, and the user is redirected to a legitimate Microsoft login page to avoid suspicion. This technique demonstrates how threat actors are exploiting trusted platforms to make their attacks more convincing and effective.
AI Analysis
Technical Summary
This threat describes a sophisticated phishing campaign that exploits Google Apps Script to conduct credential theft attacks by leveraging the inherent trust users place in Google's domains. The attack initiates with a phishing email impersonating an invoice notification, containing a link hosted on script.google.com, a legitimate Google domain. When the victim clicks the link, they are redirected to a fake invoice webpage crafted within Google's trusted environment using Google Apps Script. Subsequently, the victim encounters a fraudulent login prompt mimicking the Microsoft login interface, designed to capture their credentials. After the user submits their credentials, the data is transmitted to attacker-controlled infrastructure identified by the IP address 167.250.5.66 and the domain solinec.com. To avoid raising suspicion, the victim is then redirected to the legitimate Microsoft login page, making the entire interaction appear seamless and authentic. This attack combines social engineering, domain spoofing, and abuse of trusted cloud platforms to bypass traditional security filters and user skepticism. The use of Google Apps Script enables hosting malicious content on a domain less likely to be blocked by email or web filters, increasing the likelihood of successful exploitation. The campaign aligns with multiple MITRE ATT&CK techniques including phishing (T1566), credential theft (T1528), input capture (T1056), user execution (T1204), and others. Notably, this attack does not exploit software vulnerabilities but relies heavily on social engineering and user trust in cloud platforms and well-known brands.
Potential Impact
For European organizations, this phishing campaign poses a significant threat to credential confidentiality, especially for those relying on Microsoft 365 and Google Workspace environments. Compromise of user credentials can lead to unauthorized access to corporate email, cloud services, and sensitive business applications. This can facilitate lateral movement within networks, data exfiltration, and enable further targeted attacks such as business email compromise (BEC). The campaign's use of Google Apps Script to host malicious content complicates detection and mitigation, as traffic to Google domains is often whitelisted or considered safe by default in many corporate environments. This increases the likelihood of successful phishing attempts, particularly in sectors with high cloud productivity suite adoption such as finance, legal, government, and large enterprises. The redirection to legitimate Microsoft login pages after credential capture reduces user suspicion, increasing the chance of repeated successful attacks. The campaign can disrupt business operations, cause financial losses, and damage organizational reputation. Traditional email security solutions may struggle to detect these attacks, necessitating enhanced user awareness and advanced detection capabilities.
Mitigation Recommendations
1. Implement advanced email filtering solutions that incorporate heuristic and behavioral analysis to detect phishing emails exploiting legitimate cloud domains like script.google.com. 2. Enforce multi-factor authentication (MFA) across all user accounts, particularly for Microsoft 365 and other critical services, to mitigate the impact of credential theft. 3. Conduct targeted user education programs focusing on phishing campaigns that abuse trusted domains and cloud services, emphasizing caution when clicking links even if they appear to originate from reputable sources. 4. Monitor and restrict outbound network traffic to suspicious IP addresses and domains such as 167.250.5.66 and solinec.com, leveraging updated threat intelligence feeds to maintain blocklists. 5. Deploy conditional access policies within Microsoft 365 to detect and block anomalous login attempts, including those from unusual geographic locations or unrecognized devices. 6. Regularly audit OAuth app permissions and Google Apps Script deployments within the organization to detect unauthorized or malicious scripts. 7. Utilize browser isolation or sandboxing technologies to limit exposure to malicious web content hosted on trusted domains. 8. Integrate phishing simulation exercises tailored to scenarios involving trusted cloud platforms to enhance user detection capabilities and resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- ip: 167.250.5.66
- domain: solinec.com
Behind the Script: Unmasking Phishing Attacks Using Google Apps Script
Description
A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake invoice page, followed by a fraudulent login window designed to capture credentials. The use of Google's domain (script.google.com) adds credibility to the scam, making it more likely for users to fall victim. Once credentials are entered, they are transmitted to the attacker, and the user is redirected to a legitimate Microsoft login page to avoid suspicion. This technique demonstrates how threat actors are exploiting trusted platforms to make their attacks more convincing and effective.
AI-Powered Analysis
Technical Analysis
This threat describes a sophisticated phishing campaign that exploits Google Apps Script to conduct credential theft attacks by leveraging the inherent trust users place in Google's domains. The attack initiates with a phishing email impersonating an invoice notification, containing a link hosted on script.google.com, a legitimate Google domain. When the victim clicks the link, they are redirected to a fake invoice webpage crafted within Google's trusted environment using Google Apps Script. Subsequently, the victim encounters a fraudulent login prompt mimicking the Microsoft login interface, designed to capture their credentials. After the user submits their credentials, the data is transmitted to attacker-controlled infrastructure identified by the IP address 167.250.5.66 and the domain solinec.com. To avoid raising suspicion, the victim is then redirected to the legitimate Microsoft login page, making the entire interaction appear seamless and authentic. This attack combines social engineering, domain spoofing, and abuse of trusted cloud platforms to bypass traditional security filters and user skepticism. The use of Google Apps Script enables hosting malicious content on a domain less likely to be blocked by email or web filters, increasing the likelihood of successful exploitation. The campaign aligns with multiple MITRE ATT&CK techniques including phishing (T1566), credential theft (T1528), input capture (T1056), user execution (T1204), and others. Notably, this attack does not exploit software vulnerabilities but relies heavily on social engineering and user trust in cloud platforms and well-known brands.
Potential Impact
For European organizations, this phishing campaign poses a significant threat to credential confidentiality, especially for those relying on Microsoft 365 and Google Workspace environments. Compromise of user credentials can lead to unauthorized access to corporate email, cloud services, and sensitive business applications. This can facilitate lateral movement within networks, data exfiltration, and enable further targeted attacks such as business email compromise (BEC). The campaign's use of Google Apps Script to host malicious content complicates detection and mitigation, as traffic to Google domains is often whitelisted or considered safe by default in many corporate environments. This increases the likelihood of successful phishing attempts, particularly in sectors with high cloud productivity suite adoption such as finance, legal, government, and large enterprises. The redirection to legitimate Microsoft login pages after credential capture reduces user suspicion, increasing the chance of repeated successful attacks. The campaign can disrupt business operations, cause financial losses, and damage organizational reputation. Traditional email security solutions may struggle to detect these attacks, necessitating enhanced user awareness and advanced detection capabilities.
Mitigation Recommendations
1. Implement advanced email filtering solutions that incorporate heuristic and behavioral analysis to detect phishing emails exploiting legitimate cloud domains like script.google.com. 2. Enforce multi-factor authentication (MFA) across all user accounts, particularly for Microsoft 365 and other critical services, to mitigate the impact of credential theft. 3. Conduct targeted user education programs focusing on phishing campaigns that abuse trusted domains and cloud services, emphasizing caution when clicking links even if they appear to originate from reputable sources. 4. Monitor and restrict outbound network traffic to suspicious IP addresses and domains such as 167.250.5.66 and solinec.com, leveraging updated threat intelligence feeds to maintain blocklists. 5. Deploy conditional access policies within Microsoft 365 to detect and block anomalous login attempts, including those from unusual geographic locations or unrecognized devices. 6. Regularly audit OAuth app permissions and Google Apps Script deployments within the organization to detect unauthorized or malicious scripts. 7. Utilize browser isolation or sandboxing technologies to limit exposure to malicious web content hosted on trusted domains. 8. Integrate phishing simulation exercises tailored to scenarios involving trusted cloud platforms to enhance user detection capabilities and resilience.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cofense.com/blog/behind-the-script-unmasking-phishing-attacks-using-google-apps-script"]
- Adversary
- null
- Pulse Id
- 6840aee5e9ff7e086ccd272c
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip167.250.5.66 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsolinec.com | — |
Threat ID: 6840eba9182aa0cae2c6e1db
Added to database: 6/5/2025, 12:58:17 AM
Last enriched: 7/7/2025, 3:11:49 AM
Last updated: 8/21/2025, 11:22:14 AM
Views: 61
Related Threats
Cybercriminals Abuse AI Website Creation App For Phishing
MediumAPT MuddyWater Targets CFOs with Multi-Stage Phishing & NetBird Abuse
MediumCryptoJacking is dead: long live CryptoJacking
MediumNoodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints
MediumSalty 2FA: Undetected PhaaS Hitting US and EU Industries
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.