Google Cloud Service Used in Phishing of Office 365 Logins

Using public cloud services as landing pages, cybercriminals are attempting to phish the Office 365 credentials of unsuspecting users.

Hosting a malicious PDF and using Google’s storage.googleapis.com has become the latest trend in phishing tactics. First identified by Check Point, the PDF was made to look like a gateway to content available through SharePoint.

Should a victim follow the link, a phishing page is loaded asking for the user to login using their Office 365 credentials or organization ID. An Outlook window will launch to complete the login process, thus providing the requested document and providing threat actors with a plethora of usable information from which they may gain access to a user’s account.

The use of legitimate hosting services and obtaining a genuine PDF leads users to believe the phishing attempt is a legitimate endeavor.

Source code reveals a third-partly location from which the documents are loaded. Detection is possible since using a redirected landing page shows some suspicious activity.

This type of activity dates back to 2018 when the phishing pages were located on a malicious website, then moving to Azure storage, and finally, Google Cloud.

Indicators of Compromise

storage.googleapis.com/asharepoint-unwearied-439052791/index.html

drive.google.com/file/d/1L1N1kNgm-oU2xqQKLXfrMLaOxk6VyDur/view

us-east-1-firm-processor-264717.cloudfunctions.net/c4/6d6578736d74702e636ff6d/-/email-list/box/css/css_7jDhC7m4-oxtUbtZMHwD8LA2Gp2KNpv0zvod9283FA.css

31.28.168.4

us-east-1-firm-processor-264717.cloudfunctions.net/c4/6d6578736d74702e636ff6d/-/email-list/box/css/css_whE_FIKmCdJJmQukMY5DBbnkss9qZjXENYcyIcR-90c.css

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: