How Hackers Exploit Google Apps Script for Microsoft 365 Phishing Attacks

As phishing threats continue to evolve, attackers are leveraging increasingly sophisticated methods that use legitimate cloud platforms to disguise their malicious campaigns. Recent research has uncovered a worrying trend: the abuse of Google Apps Script as a vehicle for launching convincing phishing attacks specifically designed to steal Microsoft 365 login credentials. This sophisticated approach capitalizes on both the trust users place in Google domains and the ubiquity of Microsoft 365 in the business world, making it a critical cybersecurity concern for organizations of all sizes.

The Mechanics of the New Phishing Campaign​

At the center of this new wave of phishing is Google Apps Script—a cloud-based scripting platform designed to extend the capabilities of Google Workspace applications such as Gmail, Drive, and Sheets through JavaScript automation. Traditionally, Apps Script is used for automating email notifications, customizing workflows, or managing files. However, in the hands of cybercriminals, it becomes a potent tool for constructing believable phishing lures.
The attack, as documented by cybersecurity experts at Cofense and reported by TechRadar, typically starts with a standard phishing email purporting to contain a business-related invoice. The lure includes a link to what appears to be a Google-related service, using a domain structure like script[.]google[.]com. This tactic leverages the inherent trust most users have in Google domains, as people are conditioned to believe that anything hosted on a legitimate Google subdomain is inherently safe.
Upon clicking the link, the victim lands on a page with a message such as “you have one pending download available” and a prominent "preview" button. This apparent simplicity serves to lower suspicions. However, clicking the preview button silently redirects users to a replica of the Microsoft 365 login page. Unwitting users who input their credentials do not access a legitimate document—instead, their login information is instantly funneled to the attackers. To further obscure traces of malicious activity and reduce suspicion, the script then redirects the user to the real Microsoft 365 login page, creating the impression that a session expired or an error occurred.
This layered approach—leveraging well-known brands, cloud automation, and redirection—makes detection and prevention much more challenging.

Why Google Apps Script Is an Attractive Target​

Google Apps Script has become a target for abuse due to its versatility and the nearly universal trust in Google services. Organizations worldwide rely on Google Workspace for critical operations, and the domain itself (script.google.com) rarely appears in blocklists or email filtering blacklists, as blocking it would disrupt core business functions.
Some of the factors contributing to its appeal for attackers include:

• Legitimacy of Hosting: By hosting malicious scripts on an official Google domain, attackers bypass many traditional spam and malware filters that flag suspicious or unknown domains.
• Automation: Apps Script enables fast deployment of phishing pages and seamless integration into existing attack infrastructure.
• Easy Redirection: The scripting language’s redirect capabilities allow phishing campaigns to dynamically direct victims to fake login pages and then to genuine services, masking the theft of credentials.
• Trust Factor: Most employees and users see a Google link and assume safety, reducing the likelihood of skepticism or second-guessing.

It is not the first time attackers have exploited reputable cloud platforms; however, the dynamic nature and script-based flexibility of Google Apps Script bring a new level of sophistication to phishing attempts.

Anatomy of a Fake Invoice Phishing Email​

Let’s break down a typical attack chain as observed in this campaign:

• Initial Contact: The victim receives a phishing email from what appears to be a legitimate business partner or vendor. The message contains an urgent prompt to review or pay an attached invoice.
• Embedded Link: The invoice is not attached but linked via a URL such as script.google.com, encouraging recipients to click.
• Google Apps Script Landing Page: Clicking the link leads to a Google-hosted Apps Script page displaying a download or preview button.
• Redirection: Activating the "preview" button redirects the user to a fake Microsoft 365 login page.
• Credential Harvesting: The user enters their email and password, thinking they are logging into Microsoft 365 to view the document.
• Final Redirect: The script redirects the user to the actual Microsoft 365 login page, minimizing suspicion once the credentials have been stolen.

This workflow is carefully orchestrated to appear as seamless and familiar as possible to the user, leveraging branded login pages, native Google domains, and standard security prompts.

Technical Deep Dive: How Attackers Abuse Cloud Platforms​

Understanding this attack requires a closer look at how Google Apps Script operates. Apps Script allows users—legitimate or otherwise—to create lightweight web applications accessible via custom URLs under the Google domain. Scripts can read and write data, trigger events, and, crucially, redirect site visitors.
For attackers:

• A simple script can host an HTML landing page that displays a benign message and a button.
• That button, when clicked, uses the scripting API to redirect to any destination, including phishing sites designed to masquerade as Microsoft 365 login pages.
• Since the initial request comes from an official Google infrastructure, email security solutions often allow these messages through without quarantine or warning.
• Scripts can be updated and controlled remotely, letting threat actors adjust campaigns in real-time or launch multiple campaigns simultaneously.

Moreover, because these scripts are lightweight and hosted by Google, takedowns are not always instantaneous, giving attackers precious hours or even days to compromise numerous targets.

The Infamous "Brand Hijacking" Tactic​

The abuse of trusted brands is nothing new in the phishing world, but the combination of Google’s infrastructure with Microsoft 365 branding amplifies the success rate of these campaigns. According to Cofense, phishing emails that use trusted domains like Google are much more likely to evade detection and to elicit a response from targets.
Microsoft 365 remains one of the most phished brands due to its extensive use in enterprise environments. Cybercriminals design fake login pages that are visually indistinguishable from the real ones, right down to the smallest UI element. For many users, subtle clues about the underlying URL or SSL certificate go unnoticed, especially when the initial part of the workflow pointed to a Google domain.

Detecting and Preventing Google Apps Script Phishing​

Mitigating this sophisticated attack vector requires both technical and organizational responses.

Security Controls and Filtering Enhancements​

• URL Reputation Services: Organizations should consider integrating advanced URL filtering that checks the entire redirect chain, not just the originating domain.
• Sandboxing: Open suspicious links in sandbox environments to detect redirections and the appearance of fake login pages.
• Threat Intelligence: Maintain up-to-date feeds on known phishing campaigns and periodically review them to update detection rules. Specific attention should be paid to new abuses of legitimate cloud services.

User Awareness and Training​

Employees need robust, ongoing training to recognize phishing lures, even when they originate from reputable domains. Key elements include:

• Scrutinizing the content of emails for suspicious requests or language.
• Hovering over links to verify the full URL path before clicking, though this alone is less effective when a Google domain is involved.
• Knowing that Google typically does not serve third-party invoices or payment instructions via Apps Script.

Cofense’s researchers emphasize a defense-in-depth strategy, warning: “Phishing emails like these are a good example of how attackers take advantage of legitimate domains to make their scams look more convincing. It is important to stay vigilant and educate employees about the risk of phishing attacks.”

Technical Safeguards​

• Conditional Access Policies: Microsoft 365 administrators can enforce geographic or device-based login restrictions. If possible, require multi-factor authentication (MFA) on all accounts to render stolen credentials less useful.
• Browser Security Extensions: Deploy browser plugins that flag suspicious redirects or mismatched branding on login pages.
• Incident Response Drills: Regularly simulate phishing attacks using both trusted and untrusted domains to measure employee resilience and refine detection rules.

Broader Implications for Cloud Trust​

This phishing trend has far-reaching consequences not only for individual organizations, but also for the broader perception of cloud trust and infrastructure resilience. When attackers successfully use legitimate Google services to compromise Microsoft 365 accounts, it demonstrates how interconnected and interdependent modern cloud ecosystems are.
Key risks include:

• Supply Chain Vulnerabilities: A successful attack on a single account can lead to downstream compromise of business partners, vendors, and clients through unauthorized access or further phishing attempts using the stolen Microsoft 365 credentials.
• Privilege Escalation: With access to a business user’s Microsoft 365 account, attackers can exfiltrate sensitive data, manipulate business workflows, or create fraudulent messages targeting other employees.
• Persistence: If campaigns are not swiftly detected and neutralized, attackers may maintain access for days or weeks, leveraging time to maximize returns through additional phishing or business email compromise (BEC) attacks.

Recommendations for Google and Microsoft​

Experts increasingly recommend that cloud giants such as Google and Microsoft work collaboratively to detect, dismantle, and prevent such abuse. Some actionable steps include:

• Enhanced Abuse Detection: Google can add additional heuristics and automated analysis to identify potentially malicious Apps Script projects, such as those hosting common phishing patterns.
• Improved User Reporting: Make it easier for users to flag suspicious Apps Script pages for rapid review and takedown.
• Cross-Cloud Intelligence Sharing: Foster more robust sharing of indicators of compromise (IoCs) between cloud providers to halt multi-platform phishing quickly.

A Balanced Perspective: Strengths and Weaknesses of Apps Script​

While this campaign highlights risks in Google Apps Script, it’s important to balance the narrative with the platform’s legitimate, powerful use cases. Educators automate grade reporting; businesses streamline workflows; developers rapidly prototype and deploy new app features. Abusive campaigns remain a fraction of overall usage.

Notable Strengths​

• Ease of Use: Simple scripting for non-programmers and advanced automation for developers.
• Security by Default: Google’s native tools, such as OAuth consent screens and API restrictions, provide baseline protection.
• Broad Ecosystem: Integration across the entire Google Workspace product range.

Potential Risks and Limitations​

However, the underlying flexibility is a double-edged sword. Without granular monitoring and proactive filtering, malicious actors can create scripts that go undetected for critical windows of time, especially as scripts are hosted under universally trusted domains.

• Lack of Contextual Filtering: Traditional email and web filters rely on domain reputation rather than content analysis, so attacks leveraging Google or Microsoft’s own infrastructure can often bypass controls.
• Delayed Takedown: While Google responds quickly to abuse reports, there can still be a window of opportunity for attackers, especially during off-hours or holidays.

Conclusion: Defending Against “LegitTrust” Phishing in the Cloud Era​

The hijacking of Google Apps Script for phishing is a textbook example of what some researchers dub “LegitTrust” attacks—leveraging trusted platforms to make malicious activity invisible to both humans and machines.
Organizations and individuals must adapt to a reality where domain reputation alone cannot be used as a proxy for safety. Attackers will continue to innovate, making security awareness, layered defenses, and cross-platform vigilance essential.
As cloud adoption accelerates and legitimate platforms become integral to daily work, the opportunity for attackers to piggyback on trusted infrastructure will only increase. The path forward lies in stronger collaboration between cloud providers, more intelligent detection tools, and an unwavering focus on user education.
Until then, every email, no matter how seemingly legitimate, deserves a dose of healthy skepticism—especially those promising urgent invoices or login confirmations from “trusted” domains. The most successful defense is a blend of vigilance, technology, and continuous reevaluation of evolving phishing strategies.

---

Source: TechRadar Google Apps Script abused to launch dangerous phishing attacks

 

[ChatGPT]

In the ever-evolving landscape of cyber threats, an alarming new phishing campaign has emerged, exploiting the credibility of Google’s cloud infrastructure to target Microsoft 365 users. This attack, recently dissected by cybersecurity researchers at Cofense, leverages Google Apps Script—a legitimate automation tool within the Google Workspace ecosystem—to lend an air of authority to an otherwise classic scam. At its core, the campaign intertwines technical cunning with social engineering, preying on our collective trust in household digital brands.

The Anatomy of a Cutting-Edge Phishing Scheme​

Picture the scene: you receive an email resembling the routine invoicing notifications that are the lifeblood of digital business operations. The message is innocuous enough, with a catchy subject like “Invoice Pending Review” and a call-to-action urging you to view or download the attached bill. Crucially, the embedded link points not to a suspicious, unidentifiable web address, but to the domain script.google.com.
To the average user—and even seasoned IT professionals—such a domain might not raise red flags. After all, Google’s domains are almost universally regarded as trustworthy. This, as the Cofense researchers emphasize, is what makes the scam so dangerous: attackers piggyback on legitimate infrastructure to make their ploys look credible and contagious.
Delving deeper into the mechanics of the attack, it unfolds in several calculated stages designed to sidestep conventional defenses and psychological skepticism.

Stage One: The Trust-Building Lure​

The campaign begins with an email that mirrors authentic invoices or financial notifications. According to Cofense, threat actors employ language and branding reminiscent of corporate billing departments. But the masterstroke is the destination of the link. Rather than some strange URL, users see a Google-branded domain through mouse-over or click—psychologically disarming the subconscious caution that usually accompanies suspicious email links.

Stage Two: The “Pending Download” Diversion​

If a recipient clicks, they land not on a login screen, but a simple web page hosted via Google Apps Script. This landing page often reads something like, “You have one pending download available,” nudging recipients to click a prominent “preview” button. This staging, subtle but effective, helps maintain the illusion of normality and delays suspicion, disassociating the original email from any overtly malicious intent.

Stage Three: The Microsoft 365 Credentials Trap​

The next click is where the trap truly springs. Victims are redirected to a convincingly replicated Microsoft 365 login page. Every detail is painstakingly cloned—from the background graphics to button placements and fonts—to lull the user into a sense of routine. If a user enters their credentials at this stage, the data is siphoned straight to the attackers rather than to Microsoft. Not only are usernames and passwords at risk, but potentially also multi-factor tokens and personal information if follow-up prompts or "verifications" are built in.

Stage Four: The Redirection Cover-Up​

To conceal all evidence of foul play, once credentials are entered, the fake site immediately redirects the user to the real Microsoft 365 login page or dashboard. For most victims, nothing seems amiss; the brief confusion of a seemingly failed login attempt can easily be dismissed as a glitch or user error. This extra step is vital in blurring the timeline, making it more difficult for users and security teams to pin down the exact moment or mechanism of compromise.

Why Google Apps Script? The Double-Edged Sword of Cloud Automation​

Central to this threat is the abuse of Google Apps Script, an automation platform that allows otherwise non-technical users to write JavaScript code to enhance Google Workspace apps like Gmail, Sheets, Docs, and Drive. Legitimate uses abound—from automating repetitive tasks to generating workflows that save organizations hours each week.
But therein lies the problem: because Apps Script is built to be flexible and user-friendly, it empowers not only business productivity but also those with nefarious ends. When scripts are deployed using Google’s infrastructure, the resulting web apps or endpoints are hosted on trusted Google domains. This dynamic has long been recognized as a technical blind spot in the arms race between attackers and defenders.
Beyond that, scripts can be public or unlisted, allowing a hacker to craft malicious workflows without exposing overtly suspicious infrastructure. Security mechanisms like email security gateways, web proxies, or browser warnings, which rely on the reputation of the domains involved, rarely flag such links. Attackers are essentially gifted a platform whose namespaces are absolved of guilt by association.

Technical Deep Dive: Script Abuse in Phishing​

Let’s examine how attackers might actually piece together a campaign using Google Apps Script:

• Deployment: The criminal creates a Google account and writes a simple script to host a landing page. This landing page might have just enough HTML and JavaScript to mimic a “pending invoice” notification, alongside stylistic elements evoking Google’s own UI design.
• Redirection: The “Preview” or “Download” button on the script page is coded to redirect to an external, attacker-controlled phishing site. Frequently, open-source Microsoft 365 login page templates are repurposed here.
• Harvesting: When victims arrive at the fake Microsoft 365 portal, they input their credentials. These are sent via encrypted POST operations to the attackers, who may instantly exfiltrate, log, or even attempt to reuse the credentials in real time.
• Cover Tracks: To close the gap, the phishing kit then seamlessly redirects the victim to the legitimate Microsoft sign-in page—erasing the breadcrumbs that might trigger alertness.

What Makes This Attack Difficult to Detect?​

The main force multiplier behind this technique is the implicit trust users and security appliances place in recognizable domains. Traditional phishing detection relies on a blacklist of known malicious websites or analysis of suspicious URL patterns. When attackers piggyback on Google infrastructure, it throws a wrench in the gears of those heuristics:

• Safe Domain Assumptions: Security products give Google domains a free pass, since blocking them would disrupt core business productivity for nearly every company.
• SSL/TLS Security: The scam benefits from genuine Google-issued HTTPS certificates, adding a layer of visible “authenticity” to even the most cautious users.
• Bypassing Filters: Since the initial link is not itself a fully-fledged phishing page (just a script landing), many email and web security products let it through, failing to recognize the indirect intent.

According to multiple cybersecurity advisories, “living off the land” techniques—whereby attackers abuse trusted, SaaS-hosted tools—are on the rise, mirroring similar abuses seen in platforms like Dropbox, SharePoint, or OneDrive.

Critical Analysis: Strengths, Gaps, and What’s Next​

While the ingenuity of this campaign is clear, it also highlights a persistent weakness within modern cloud ecosystems. The line between empowering user productivity and ensuring airtight security is thin and fraying.

Notable Strengths of the Attack​

• Trust Exploitation: By anchoring the attack chain in a Google domain, attackers instantly leapfrog most technical safeguards.
• Deceptive Simplicity: The initial page is bland and nondescript, reducing the likelihood of suspicion or investigation.
• Polished Craftsmanship: Phishing kits used mimic Microsoft 365's appearance so well that, absent rigorous scrutiny, even experienced users are deceived.
• Organic Evolution: The campaign can rapidly iterate. Attackers can spin up new script instances nearly instantaneously if previous ones are shut down.

Potential Weaknesses and Defensive Advantages​

• Link Analysis Tools: Advanced threat protection tools that go beyond reputation checking—and instead dynamically scan the complete redirect chain—can sometimes spot the final phishing page and block it.
• Multi-Factor Authentication: Even if a password is compromised, MFA prevents one-step account takeover—unless attackers deploy real-time token theft or man-in-the-middle proxies (a scenario observed but still technically complex).
• Logging and Monitoring: Sophisticated SIEM (Security Information and Event Management) solutions can retrospectively flag successful credential phishing attempts by analyzing anomalous logins.

Open Questions and Caveats​

• Attribution: As script hosting via Google is cheap, easy, and ephemeral, it remains extremely difficult to attribute the campaign to specific threat actors.
• Prevalence: While Cofense and other researchers have observed multiple variants of this scam, precise numbers on successful infections or the scale of attempted deliveries are inherently difficult to verify publicly.
• Responsibility: The ethical and technical balance Google must strike—between user empowerment and preventing abuse—remains a focal point for the broader SaaS industry. As of this writing, Google is reportedly flagging some malicious scripts, but comprehensive and proactive protections appear to lag behind evolving tactics.

How to Protect Microsoft 365 Credentials – Effective Countermeasures in 2025​

As attackers sharpen their tools, defensive tactics must become both more nuanced and more robust. Here’s a breakdown of actionable steps for individuals and organizations to foil even sophisticated threats:

1. Scrutinize URLs—Always​

Never trust a web link based purely on its visible domain. Look for subtle misspellings, extra subdomains, or unexpected URL patterns. Expand shortened URLs and use browser extensions or security gateways that preview where links ultimately lead.

2. Expect the Unexpected: Spotting Red Flags​

If prompted unexpectedly to log in—especially after clicking an email link—resist and investigate. Instead, use bookmarks or type URLs directly into your browser rather than following embedded links.

3. Embrace Multi-Factor Authentication (MFA)​

Enabling MFA on all cloud accounts—particularly high-value targets like Microsoft 365—adds a formidable second hurdle for attackers. While not immune to all forms of phishing (especially advanced man-in-the-middle techniques), MFA still greatly reduces the risk posed by most credential theft.

4. Continuous Employee Education​

Organizations should commit to ongoing anti-phishing training programs, incorporating real-world simulation exercises. Teach all personnel to recognize social engineering tactics, scrutinize email headers, and understand the latest threat trends. Always reinforce that no legitimate financial request will require urgent, password-entry responses via a third-party link.

5. Advanced Threat Protection​

Invest in modern security solutions—those that employ machine learning to identify suspicious redirect chains, scan attachments and external links in real time, and retroactively hunt for threat indicators.

6. Rapid Incident Response​

Encourage employees to report suspicious emails or login prompts immediately. Have an established protocol for revoking potentially compromised credentials and conducting thorough forensics on suspected accounts.

7. Monitor Login Locations and Devices​

Administrators should enable advanced auditing in Microsoft 365, alerting on logins from unusual geographies or device fingerprints. Anomalies should trigger immediate review and, if necessary, forced password resets.

8. Engage with Providers​

Ironically, users and organizations should report any suspicious Apps Script activity not just internally but directly to Google as well. Responsible disclosure ensures that compromised scripts can be taken down rapidly, impeding further proliferation.

The Broader Implications: Trust, SaaS, and the Future of Phishing​

The ingenuity on display in this campaign signals a shift in the tactics favored by cybercriminals. By utilizing the cloud giants’ infrastructure, they subvert our basest instincts to trust the digital brands central to our everyday work. The arms race between defenders and attackers, in turn, is becoming less about technical prowess and more about exploiting—or defending—the seams between utility and security.
As Cofense researchers put it: “Phishing emails like these are a good example of how attackers take advantage of legitimate domains to make their scams look more convincing.” This remark is increasingly apt in today’s SaaS-dominated world. The traditional model of identifying “malicious” from “safe” domains has ended. In its place, we must rely on layered defenses, continuous education, and a healthy dose of skepticism to survive the next evolution of phishing.

Key Takeaways for Windows and Microsoft 365 Users​

• Even the most trustworthy domains can harbor malicious intent through third-party abuse.
• Sophisticated phishing does not always require complex malware; exploiting brand trust is often enough.
• Vigilance—both technical and psychological—is the strongest defense.
• The democratization of powerful automation tools means both good and bad actors have access to formidable resources.
• Continuous technical innovation in defense, combined with regular user education, remains the best path forward.

As cybercriminals continue to refine their methods, only those organizations and individuals who evolve their mindsets and defenses in parallel will stay ahead. This latest attack is less a one-off event than a harbinger of what’s to come—a world where trust in cloud platforms becomes the greatest vulnerability, and our ability to adapt is more important than ever.

---

Source: Daily Chhattisgarh News Google Apps Script Hijacked: Hackers Deploy Fake Invoices to Steal Your Microsoft 365 Login