To get around email security measures and send phishing emails directly to people’s inboxes, cybercriminals are reportedly abusing a legitimate Google service.
The hackers are using Google AppSheet, a no-code application development platform for mobile and web apps, and were able to send emails using the “noreply@appsheet.com” address thanks to its workflow automation, according to cybersecurity researchers KnowBe4, who were the first to notice the attacks. Phishing emails imitate Facebook in an attempt to fool recipients into divulging their login information and two-factor authentication codes.
The bulk and relatively large-scale emails were sent from a legitimate source, successfully evading Secure Email Gateways (SEGs) and Microsoft, which depend on authentication checks and domain reputation (SPF, DKIM, DMARC). Additionally, because AppSheets can create unique IDs, every email was a little bit different, which further evaded detection systems. The emails were spoofs of Facebook.
In an attempt to deceive victims into believing they had violated someone’s intellectual property, the scammers threatened to delete their accounts within a day. Not unless they use the email’s handy “Submit an Appeal” button to file an appeal.
The victim can enter their login information and 2FA codes on a landing page that mimics Facebook after clicking the button; the attackers will then receive these details.
According to KnowBe4, Vercel is a “reputable platform known for hosting modern web applications,” and this is where the page is hosted. The credibility of the entire campaign is further enhanced by this.
A few other contingencies are included in the attack. The initial attempt to log in yields a “wrong password” message, which is meant to validate the submission rather than because the victim entered the incorrect credentials.
Additionally, the given 2FA codes are instantly sent to Facebook, where the criminals obtain a session token in exchange, giving them persistence even after changing their password.