Cybersecurity experts are highlighting two recently discovered phishing campaigns that misuse legitimate platforms like Firebase and Google Apps Script to lead users to harmful content.
In mid-May, Trellix reported a spear-phishing attack that posed as a Rothschild & Co employee to target financial executives in banking, energy, insurance, and investment sectors across Africa, Canada, Europe, the Middle East, and South Asia.
The phishing emails included a fake brochure presented as a webpage hosted on Firebase and hidden behind a custom CAPTCHA styled as a math quiz. After solving the quiz, the victim receives a ZIP file containing a VBS script.
This script installs NetBird and OpenSSH on the victim's device, creates a hidden local admin account, and enables Remote Desktop Protocol (RDP), giving attackers remote access to the system.
Trellix noted that the multi-stage approach was designed to bypass security tools and human detection while maintaining long-term access to compromised machines through legitimate remote access software like NetBird, which could lead to severe consequences.
Separately, Cofense detailed another phishing campaign that evades detection by abusing Google Apps Script, a development platform built into various Google services.
This campaign spoofed the domain of a disability and health equipment provider and sent phishing emails meant to spark urgency. The emails linked to an invoice page hosted on Google Apps Script.
“By placing the phishing page inside Google’s trusted environment, attackers make the site appear legitimate, which increases the likelihood of recipients revealing sensitive information,” said Cofense.
Users are directed to click a ‘preview’ button that opens a fake login window resembling a Microsoft sign-in page. This entire process takes place within script[.]google[.]com, making it seem more trustworthy, according to Cofense.
These revelations follow an alert from ESET regarding phishing scams that imitate the well-known e-signature service DocuSign. In that campaign, recipients receive spoofed messages asking them to view a document or scan a QR code, both of which lead to a fraudulent Microsoft login page.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
