Unidentified threat actors are leveraging legitimate services such as PayPal or Google Workspace to send out phishing emails and bypass virtually all email security solutions available today.
A report from cybersecurity researchers Avanan has detailed how hackers managed to force these services to send out phishing email on their behalf, thus tricking email security solutions.
For criminals, the problem with phishing emails is that the domains from which they’re sent, the email’s subject lines, as well as the content, all get scanned by email security products and often don’t make it into the victim’s inbox. However, when that email comes from Google, the security product has no other choice but to let it through.
Now, if a threat actor creates a malicious Google Docs file with a link to a phishing site, and simply tags the victim in it, Google will send out the notification without raising any alarms. That document can be anything, from a fake invoice, to a fake notification of a service being renewed. Usually, the common denominator for all these emails is that something needs to be addressed urgently, otherwise the victim will lose money.
The same thing is with PayPal. An attacker can generate a fake invoice with a link to the phishing website in the invoice’s description, and just mail it via PayPal to the victim.
Besides these two companies, threat actors have also been impersonating SharePoint, FedEx, Intuit, iCloud, and others, the researchers claim.
Most of the time, hackers engaged in phishing are looking for credentials to sensitive systems which they can later use to distribute more dangerous malware (for example, to run a ransomware operation). In other cases, they’d go after payment information, either to sell it on the black market, or to use it to fund illegal activities (such as DDoS-as-a-service, for example).
- Check out the best firewalls right now