A new phishing campaign has been discovered that leverages Google Cloud Services to trick victims into handing over their Office 365 log in details. This new hacking campaign is part of an increasing trend of disguising phishing attacks using authentic cloud services.

The phishing attack begins like the majority of attacks in that an email containing a hyperlink is sent to the recipient who is then requested to click on it. If the user clicks the link in the email, they are taken to Google Drive where a PDF file has been placed. When the file is clicked on, users are asked to click a hyperlink in the document, which appears to be an invitation to open  a file hosted on SharePoint Online.

The PDF file asks the victim to visit  the link to sign in with their Office 365 ID. Clicking the link will bring the user to a landing page hosted using Google’s storage.googleapis.com. When the user vosots on the landing page, they are shown with an Office 365 login prompt that looks exactly like the real thing. After entering their details, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting company.

The campaign has been created to make it look like the victim is simply being taken to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their details. It is therefore possible that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy people would be unlikely to check.

This campaign was discovered by experts at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are authentic and have valid SSL certificates, they are difficult to detect as malicious. This campaign targeted Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add authenticity to the campaigns.

This campaign emphasises the importance of providing security awareness training to the workforce and warning employees about the risks of visiting links in unsolicited emails, even those that link to real domains. An advanced email security solution should also be put in place to prevent malicious emails and ensure the majority of malicious messages are not sent to inboxes. That is an area where TitanHQ can be of assistance.