A newly identified phishing campaign used Google Drive to help bypass some email security features as attackers attempted to target a company in the energy industry, security firm Cofense reported this week.
To better disguise this spear-phishing campaign, the attackers sent emails under the guise of the firm’s CEO, which included the link to a Google Docs file as well as a fake login page, according to Cofense researchers.
The attackers used a tailored-made email that included the company logo, the CEO’s name, and a previously disseminated business message to make it appear even more authentic, according to the Cofense blog about the attack, which did not identify the company that was targeted.
And while the phishing emails were tailored to get employees to click so that credential-harvesting malware could be downloaded, it’s the use of a Google Drive link that allowed the attackers to bypass the security features built into Microsoft Exchange because the link came from an authentic and recognized business service, according to the researchers.
It appears the target company’s email body inspection tool did not examine the message past the first link, which then allowed the email to be marked as non-malicious and passed on to employees along with the payload, the researchers note.
“By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular, Microsoft Exchange Online Protection, and make its way to the end-user,” says Aaron Riley, a Cofense researcher who examined the attack.