August 29, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Apple macOS Vulnerabilities
June 2, 2025
PumaBot Malware – Active IOCs
June 2, 2025
Multiple Apple macOS Vulnerabilities
June 2, 2025
PumaBot Malware – Active IOCs
June 2, 2025
Severity
High
Analysis Summary
Cybercriminals are exploiting Google Apps Script to host phishing pages on legitimate Google domains, notably script.google.com, allowing them to bypass traditional security measures such as antivirus software and traffic filters. This method enables attackers to disguise malicious sites as trustworthy, facilitating the theft of user credentials.
According to Researchers, attackers distribute emails that appear to be invoices or tax notifications. These messages contain links directing recipients to phishing pages hosted on Google’s domain. Because the URLs originate from a trusted source, they often evade scrutiny by security systems. The phishing pages closely mimic legitimate login interfaces, deceiving users into entering their credentials.
Google Apps Script is a JavaScript-based cloud platform that allows users to automate tasks and extend Google Workspace services like Sheets, Docs, and Gmail. One of its features is the ability to publish scripts as public web applications with official Google domain URLs. Cybercriminals exploit this feature to embed fake login forms within Google’s infrastructure, adding a layer of legitimacy to their attacks.
After credentials are entered, victims are redirected to the actual service they expected to visit, reducing suspicion. Meanwhile, their login information is silently sent to the attackers. The threat is intensified by the attackers’ ability to dynamically modify the phishing content without changing the URL, making detection and takedown efforts more difficult.
Security experts recommend organizations monitor and restrict access to links from cloud service domains like Google Apps Script, especially those dealing with sensitive data. Although Google has taken steps to combat phishing, it had not issued a statement regarding this specific threat at the time of reporting. The evolving nature of this attack highlights the need for proactive defense strategies and heightened user awareness.
Impact
- Credential Theft
- Unauthorized Access
- Data Exfiltration
- Security Bypass
Indicators of Compromise
IP
- 167.250.5.66
URL
- https://solinec.com/APi/1YjDl_aUXTsHrhxiufjU0fBe4d2wsameerm3wJl_LX.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement URL filtering to detect and flag unexpected use of cloud service domains.
- Use email security gateways to detect and quarantine phishing emails with suspicious links.
- Train employees to recognize phishing attempts, especially those using trusted domains.
- Enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials.
- Monitor traffic for unusual access patterns to Google-hosted URLs.
- Use threat intelligence feeds to stay updated on known phishing campaigns and URLs.
- Audit and limit third-party app permissions and integrations with corporate accounts.
- Review and harden identity and access management (IAM) policies.
- Regularly simulate phishing attacks to assess and improve user awareness.
- Use content inspection tools to analyze embedded forms and scripts in web pages.
- Report malicious Google Apps Script pages to Google for review and takedown.
- Integrate security orchestration and automated response (SOAR) tools to detect and respond faster.
- Establish incident response plans specifically addressing phishing via trusted services.