Watch Out For These Google Workspace Spear Phishing Attacks

Lauryn Cash
Written by Lauryn Cash
News and Commentary /
Watch Out For These Google Workspace Spear Phishing Attacks

Google Workspace is a popular business collaboration tool consisting of software, cloud computing, collaboration, and productivity tools. Last year, Google’s G Suite passed 6 million customers, second only to Microsoft’s Office 365 platform.

However, G Suite is also known to have several security gaps. Relying on Google email security features might leave your business vulnerable to Google spear phishing and Business Email Compromise (BEC) attacks.

Being aware of the myriad ways your company might be at risk could help you avoid being targeted by cybercriminals. Today we’ll look at examples of three types of attacks that victimize Google users by:

  • Impersonating well-known brands
  • Spoofing workflows
  • Exploiting free software

1. Attacks That Impersonate Well-Known Brands

Credential phishing is when hackers attempt to steal user credentials by posing as a known or trusted entity in an instant message, email message, or other written communication channel.

Credentials generally consist of a username or user ID, PIN, password, or a combination of all three. Hackers use stolen credentials to pilfer personal information or sell it to third parties on the dark web for additional attacks.

Here are two examples of attacks that impersonated well-known brands.

Microsoft Defender Vishing

This vishing (voice phishing) attack impersonated Microsoft to steal victims’ credit card details. Additionally, an email address sent fake order receipts for a Microsoft Defender subscription and included phone numbers to call for processing order returns.

Calling the listed number led to a vishing flow where the victim was instructed to install AnyDesk for an attempted Remote Desktop Protocol (RDP) attack.

  • Email security bypassed: Google Workspace email security
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail account address, omnichannel attack flow

Zix Credential Phishing

The Zix credential phishing attack spoofed an encrypted message notification from Zix that tempted victims to download a malicious file onto their system. Zix is a security technology company that provides email data loss prevention services. Therefore, customers were more likely to trust that downloading a file from Zix was safe.

The Zix attack was observed on multiple customer environments across Google Workspace, Office 365, and Exchange. Although the potential account exposure of this attack campaign was close to 75,000 mailboxes, hackers chose a select group of employees across various departments.

Targeting a mix of employees and senior leadership members who were unlikely to communicate with each other made this strategy especially effective.

  • Email Provider: Office 365, Google Workspace, Exchange
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, drive-by download, exploiting legitimate domain

2. Attacks That Spoof Workflows

Attacks that spoof workflows duplicate existing workflows, fooling targets into believing they’ve received legitimate communications.

These attacks are successful because they encourage victims to employ their brain’s automatic, intuitive approach to dealing with new situations. But, unfortunately, when you “click before you think,” you open yourself up to being fooled by phony workflows that look legitimate.

Here are two examples of attacks that spoofed workflows.

LinkedIn Locked Account Notification

This LinkedIn credential phishing attack was sent from a compromised university email account that hosted its phishing page on Google Forms. The email claimed that the victims’ LinkedIn account had been locked due to unusual activity, then invited them to verify their accounts to restore access.

Clicking any of the email’s links leads victims to a phishing page that asks for their LinkedIn username and password. This page, hosted on Google Forms, used LinkedIn branding to add legitimacy. AsGoogle Forms has a high degree of trust, the page bypassed email security technologies that filter for known suspicious links.

  • Email Provider: Google Workspace
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, email account takeover, using free online services, using security themes

Tax Scam Using Typeform

This tax scam used Typeform, popular software specializing in online surveys and form building, within its attack flow.

The attack attempted to harvest victims’ email account credentials by forcing numerous logins, which were repeatedly invalidated. This brute force method was a tricky way to gather as many account IDs and passwords from unsuspecting victims as possible.

  • Email security bypassed: Google Workspace email security
  • Techniques used: Social engineering, replicating existing workflows, exploiting free online software to create phishing pages, using security themes

3. Attacks That Exploit Business Workflows

These attacks are successful because they use legitimate domains to create phishing emails and pages that target a business workflow. They use the lure of free goods to create phishing emails and pages, tricking both end-users and security software into believing the communication is legitimate.

Here are two examples of attacks that exploit free software.

Hosting Phishing Pages Using Glitch and GoDaddy

This PayPal credential phishing attack exploited legitimate services from both Glitch and GoDaddy in its phishing flow. The phishing email claimed that the victims’ PayPal account profile was incomplete or outdated and included a link to restore account access. You can probably see where this is going by now …

The parent domain of the phishing page was created using Glitch. Glitch is a low-code software that enables you to develop a web project and “launch it on a secure URL in under a minute,” according to their website.

Unfortunately, attackers often exploit services like these meant to make work easier but unintentionally lower the bar for cybercriminals to launch large-scale phishing attacks.

  • Email Provider: Google Workspace
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, using free online services

Using Free Google Services

G Suite has helped millions of people simplify and share their work. But, unfortunately, cybercriminals exploit Google’s open platform to defraud individuals and organizations of money and sensitive information.

Armorblox has seen a sharp increase in attackers using free Google services to get emails past binary security filters based on keywords or URLs. If successful, these email attacks using Google services could have potentially impacted tens of thousands of mailboxes within Armorblox’s customer environments alone.

American Express credential phishing, security team impersonations, and payslip scams are just a few examples of phishing campaigns that used Google technology to take advantage of unsuspecting victims.

  • Google services used: Forms, Firebase, Docs, Sites
  • Techniques used: Social engineering, brand impersonation

Leveling Up G Suite Email Security With Armorblox

As these examples indicate, Google Workspace's native security features weren’t enough to protect against advanced types of credential phishing and spear phishing attacks.

To augment existing email security capabilities, your business should invest in technologies that take a materially different approach to threat detection. Adding an extra layer of protection like Armorblox helps defend your business and your human layer from sensitive data exposure and fraud.

Want to learn more about spear phishing, Business Email Compromise (BEC), and 0-Day credential phishing attacks? Follow us on our social media channels, or subscribe to our email updates to stay informed on our advanced threat research.

Join Mailing List

Read This Next