Site icon Check Point Blog

New Phishing Campaign Exploiting Google App Scripts: What Organizations Need to Know

Microsoft Returns to the Top Spot as the Most Imitated Brand in Phishing Attacks for Q4 2023

Check Point Harmony Email Researchers have recently identified a concerning phishing campaign that spoofs Google Apps Script macros – a tool used to automate tasks in Google applications.

Google Apps Script macros are popular due to their abilities to automate workflows and integrate with assorted Google services, making them prime targets for cyber criminals.

Campaign overview:

The campaign involves approximately 360 emails written in multiple languages, including English, Russian, Chinese, Arabic, Italian, German, and French. The emails falsely claim to provide “account details” for a user registration that the recipient never initiated.

The campaign remains ongoing.

Should employees fall victim to this email-based scam, risks to organizations include the exposure of sensitive data, the fraudulent transfer of funds, and operational disruption, among other things.

How it works:

The phishing emails feature a link, in the subject line, which leads to a Google Apps Script page. On the page, users will find a deceptive URL that includes scrip.google.com.

The URL claims to be a “secure and trusted” payment service. Because the URL overtly appears legitimate, it may deceive users into potentially disclosing sensitive information.

Email l examples:

Initial phishing email. Image courtesy of Harmony Email researchers

Example of link to ‘activate account’. Image courtesy of Harmony Email researchers

Detection indicators:

To spot these types of threats, look for emails with subject lines that claim to provide “account details” for an unrecognized registration. URLs that include “scrip.google.com,” but that direct users to pages requesting the input of sensitive data are also red flags.

Mitigation strategies:

Further information:

Upon observing this attack, our cyber security researchers responded quickly, rendering Check Point customers protected from this attack.

Check Point customers remain protected from such attacks.

For more information about preventing advanced, evasive, and sophisticated cyber threats, click here or talk to a team of experts.

Exit mobile version