Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

Description

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake invoice page, followed by a fraudulent login window designed to capture credentials. The use of Google's domain (script.google.com) adds credibility to the scam, making it more likely for users to fall victim. Once credentials are entered, they are transmitted to the attacker, and the user is redirected to a legitimate Microsoft login page to avoid suspicion. This technique demonstrates how threat actors are exploiting trusted platforms to make their attacks more convincing and effective.