Google Apps Script Exploited in Sophisticated Phishing Campaigns

Threat actors are increasingly abusing Google Apps Script to host phishing pages, leveraging the platform’s trusted reputation to bypass security filters. Recent reports confirm attackers are using script.google.com domains to serve malicious content while evading detection by email gateways and web filters¹. This technique represents an evolution in phishing tactics that combines the credibility of Google’s infrastructure with advanced evasion methods.

Technical Breakdown of the Attack Chain

The attack begins with emails containing links to script.google.com domains, which appear legitimate to both users and security tools. These scripts host phishing pages that mimic trusted services like Microsoft 365 or banking portals. According to recent findings, attackers implement multi-step redirections through legitimate domains before reaching the final phishing page².

Security researchers have observed JavaScript-based credential exfiltration directly from these Google-hosted scripts. The scripts often include CAPTCHA challenges that serve dual purposes: filtering out automated analysis tools while adding perceived legitimacy for human victims. Some campaigns incorporate Magecart-style skimmers when targeting e-commerce credentials³.

Defensive Recommendations

Organizations should consider blocking script.google.com and google.com/amp/s/ at email gateways and web proxies. Google Workspace administrators can implement these restrictions through Context-Aware Access policies. Additional protective measures include:

• Deploying AI-driven email filtering with real-time URL scanning
• Implementing strict OAuth application review processes
• Training users to identify image-based phishing emails

For incident responders, monitoring for traffic to Google Apps Script URLs from corporate networks can help detect potential compromises. The presence of token_service table decryption attempts in logs may indicate follow-on activity from info-stealers like Lumma⁴.

Broader Implications for Cloud Security

This campaign highlights the growing trend of abusing legitimate cloud services for malicious purposes. Similar tactics have been observed with Google Forms being used for data exfiltration and AMP pages hosting phishing content. The trusted nature of these domains makes traditional URL filtering less effective, requiring more advanced detection methods.

Recent malware families including White Snake and RisePro have incorporated functionality to maintain persistence through Google’s OAuth2 system, specifically targeting the undocumented MultiLogin endpoint⁵. This development suggests attackers are investing significant resources into understanding and exploiting cloud authentication mechanisms.

Conclusion

The abuse of Google Apps Script represents a significant shift in phishing techniques, forcing security teams to reevaluate their defensive strategies. As attackers continue to innovate by leveraging trusted platforms, organizations must implement layered defenses combining technical controls with user education. Google’s infrastructure will likely remain an attractive target due to its ubiquity and inherent trust, making ongoing monitoring and adaptation essential for security teams.