Use of Google Apps Script in phishing | Kaspersky official blog

To steal corporate e-mail credentials from company employees, attackers must first get past the antiphishing solutions on the company’s e-mail servers. As a rule, they use legitimate Web services so as to evade notice, and increasingly, that means Google Apps Script, a JavaScript-based scripting platform.

What is Apps Script, and how do attackers use it?

Apps Script is a JavaScript-based platform for automating tasks within Google’s products (e.g., creating add-ons for Google Docs) as well as in third-party applications. Essentially, it’s a service for creating scripts and running them in Google’s infrastructure.

In e-mail phishing, attackers use the service for redirects. Instead of inserting the URL of a malicious website directly into a message, cybercriminals can plant a link to a script. That way, they can bypass the mail server-level antiphishing solutions: a hyperlink to a legitimate Google site with a good reputation sails through most of the filters. As an ancillary benefit to cybercriminals, undetected phishing sites can stay up longer. That scheme also gives attackers the flexibility to change the script if necessary (in case security solutions catch on), and to experiment with content delivery (e.g., sending victims to different versions of the site depending on their region).

Example of a scam using Google Apps Script

All the attackers have to do is get the user to click a link. Recently, the most common pretext was a “full mailbox.” In theory, that seems plausible.

A typical phishing e-mail using a full-mailbox scam

A typical phishing e-mail using a full-mailbox scam

In practice, attackers are usually careless and leave signs of fraud that should be obvious even to users who are unfamiliar with real notifications:

How to avoid taking the bait

Experience shows that phishing e-mails do not necessarily have to contain phishing links. Therefore, reliable corporate protection must include antiphishing capabilities both at the mail server level and on users’ computers.

Additionally, responsible protection needs to include ongoing employee awareness training covering current cyberthreats and phishing scams.