Welcome to Google. Enter Your Password… So Hackers Can Steal It
Cybercriminals have found a new way to bypass security systems by hosting phishing pages on Google Apps Script, disguising malicious sites as legitimate Google domains. This allows them to steal login credentials without triggering antivirus or traffic filtering systems.
How the Attack Works
- The Bait: Victims receive emails posing as invoices, tax notices, or urgent documents.
- The Trap: A link leads to a phishing page hosted on script.google.com—a trusted Google domain.
- The Theft: The page mimics a real login (Gmail, corporate portals, etc.), tricking users into entering credentials.
- The Escape: After submission, victims are redirected to a legitimate site, while stolen data is silently sent to attackers.
Why This Works
- Google Apps Script is a legitimate cloud platform for automating Google Workspace tasks.
- Attackers publish malicious scripts as "web apps", giving them a Google-hosted URL.
- Most security tools whitelist Google domains, letting phishing pages slip through.
- Attackers can edit scripts in real-time, changing content without altering the link.
The Danger
- No warnings: Since it’s a Google domain, email filters and antivirus often ignore it.
- Highly adaptable: One link can serve multiple phishing campaigns (fake invoices, password resets, etc.).
- Hard to block: Organizations rarely restrict access to Google Apps Script.
How to Protect Yourself
✔ Always check URLs—even if they look like Google’s.✔ Enable multi-factor authentication (MFA) to block credential theft.
✔ Train employees to spot phishing—especially links to script.google.com.
✔ Restrict access to Google Apps Script in corporate environments.
Google has not yet commented on new safeguards, but until then—trust no login page, even if it’s on a Google domain.
Stay alert. The safest-looking links are often the most dangerous.
