This phishing threat involves attackers exploiting Google Presentations' 'publish' feature to create phishing pages that bypass Google's usual anti-phishing footers and warnings. Typically, when Google Docs or Slides are shared in 'edit' or 'preview' mode, a footer warning about phishing risks is displayed, allowing users to report suspicious content. However, when slides are 'published' and shared via the generated link, the footer is removed, enabling attackers to present phishing content more convincingly. In this campaign, phishing emails were sent to users of the Vivaldi Webmail service, containing links to such published Google Slides. The slides display a phishing lure, and clicking through leads victims to a classic login form hosted on a third-party platform (Weebly). The slides can be configured to auto-advance or delay slide changes, allowing attackers to control the user experience and reduce suspicion. The phishing email itself is not highly sophisticated but sufficient to deceive some users. No automated bots or Google anti-phishing mechanisms appear to detect or block this method effectively, as it exploits a legitimate Google feature rather than a vulnerability. There are no known exploits in the wild beyond this reported campaign, and no direct software vulnerabilities are involved. The attack relies on social engineering and abuse of trusted platforms to harvest credentials.

For European organizations, this phishing technique can lead to credential compromise, unauthorized access to corporate or personal accounts, and potential downstream impacts such as data breaches or fraud. Organizations using Vivaldi Webmail or similar services may see targeted phishing attempts. The use of Google Slides, a widely trusted and commonly used platform, increases the likelihood of user trust and click-through rates. Credential theft can enable attackers to pivot into corporate networks, especially if users reuse passwords or have access to sensitive systems. The absence of Google’s phishing warnings reduces user suspicion, increasing the attack’s effectiveness. While the attack does not exploit software vulnerabilities, the social engineering risk is significant, particularly for less security-aware users. The impact is medium severity but can escalate if attackers leverage stolen credentials for further attacks. European entities with remote or hybrid workforces relying on webmail and cloud services are particularly vulnerable.

1. Educate users specifically about phishing techniques abusing legitimate cloud services like Google Slides published presentations. 2. Implement advanced email filtering that detects suspicious links, especially those pointing to published Google Slides URLs combined with external login forms. 3. Deploy URL rewriting or inspection tools that can analyze Google Slides links and flag those that are published and lead to credential collection sites. 4. Encourage multi-factor authentication (MFA) on all accounts to reduce the impact of credential theft. 5. Monitor for unusual login patterns or access attempts following phishing campaigns. 6. Collaborate with Google to report abuse of published slides for phishing to enable faster takedown. 7. For organizations using Vivaldi Webmail, consider additional email security controls or alternative secure email providers. 8. Use browser security extensions or endpoint protection that can warn users when entering credentials on suspicious sites. 9. Regularly update phishing simulation and training programs to include emerging tactics like abuse of published Google Slides. 10. Establish incident response plans that include rapid credential resets and user notifications upon detection of phishing.