- KnowBe4 is warning of a new phishing campaign leveraging Google AppSheets’ workflow automation
- The emails are spoofing Facebook and harvesting login credentials
- The attackers can grab session tokens, as well
Cybercriminals are abusing a legitimate Google service to bypass email protection mechanisms and deliver phishing emails straight to people’s inboxes.
Cybersecurity researchers KnowBe4, who first spotted the attacks, have warned the crooks are using Google AppSheet, a no-code application development platform for mobile and web apps, and through its workflow automation were able to send emails using the “noreply@appsheet.com” address.
The phishing emails are mimicking Facebook, and are designed to trick people into giving away their login credentials, and 2FA codes, for the social media platform.
2FA codes and session tokens
The emails, which were sent in-bulk and on a fairly large scale, were coming from a legitimate source, successfully bypassing Microsoft and Secure Email Gateways (SEGs) that rely on domain reputation and authentication checks (SPF, DKIM, DMARC).
Furthermore, since AppSheets can generate unique IDs, each email was slightly different, which also helped bypass traditional detection systems.
The emails themselves spoofed Facebook. The crooks tried to trick victims into thinking they infringed on someone’s intellectual property, and that their accounts were due to be deleted within 24 hours.
Unless, of course, they submit an appeal through a conveniently placed “Submit an Appeal” button in the email.
Clicking on the button leads the victim to a landing page impersonating Facebook, where they can provide their login credentials and 2FA codes, which are then relayed to the attackers.
The page is hosted on Vercel which, KnowBe4 says, is a “reputable platform known for hosting modern web applications”. This further strengthens the entire campaign’s credibility.
The attack has a few additional contingencies. The first attempt at logging in returns a “wrong password” result – not because the victim typed in the wrong credential – but in order to confirm the submission.
Also, the 2FA codes that are provided are immediately submitted to Facebook and in return – the crooks grab a session token which grants them persistence even after a password change.
Leave a Reply