- KnowBe4 is warning of a new phishing campaign leveraging Google AppSheets‘ workflow automation
- The emails are spoofing Facebook and harvesting login credentials
- The attackers can grab session tokens, as well
Cybercriminals are abusing a legitimate Google service to bypass email protection mechanisms and deliver phishing emails straight to people’s inboxes.
Cybersecurity researchers KnowBe4, who first spotted the attacks, have warned the crooks are using Google AppSheet, a no-code application development platform for mobile and web apps, and through its workflow automation were able to send emails using the „noreply@appsheet.com“ address.
The phishing emails are mimicking Facebook, and are designed to trick people into giving away their login credentials, and 2FA codes, for the social media platform.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
2FA codes and session tokens
The emails, which were sent in-bulk and on a fairly large scale, were coming from a legitimate source, successfully bypassing Microsoft and Secure Email Gateways (SEGs) that rely on domain reputation and authentication checks (SPF, DKIM, DMARC).
Furthermore, since AppSheets can generate unique IDs, each email was slightly different, which also helped bypass traditional detection systems.
The emails themselves spoofed Facebook. The crooks tried to trick victims into thinking they infringed on someone’s intellectual property, and that their accounts were due to be deleted within 24 hours.
Unless, of course, they submit an appeal through a conveniently placed “Submit an Appeal” button in the email.
Clicking on the button leads the victim to a landing page impersonating Facebook, where they can provide their login credentials and 2FA codes, which are then relayed to the attackers.
The page is hosted on Vercel which, KnowBe4 says, is a “reputable platform known for hosting modern web applications”. This further strengthens the entire campaign’s credibility.
The attack has a few additional contingencies. The first attempt at logging in returns a “wrong password” result – not because the victim typed in the wrong credential – but in order to confirm the submission.
Also, the 2FA codes that are provided are immediately submitted to Facebook and in return – the crooks grab a session token which grants them persistence even after a password change.
You might also like
- YouTubers targeted by blackmail campaign to promote malware on their channels
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers