Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

May 29, 2025

By: Jonathan Asuelo, Cofense Phishing Defense Center

When we think about phishing attacks, we typically picture suspicious emails containing questionable links that lead to fake websites designed to mimic authentic ones. However, threat actors are becoming more strategic, now leveraging tools from trusted tech giants to exploit users. The Cofense Phishing Defense Center recently identified a phishing campaign that takes this approach to the next level. The attack uses an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google’s suite of products. By hosting the phishing page within Google’s trusted environment, attackers create an illusion of authenticity. This makes it easier to trick recipients into handing over sensitive information.

Figure1-(6).PNG

Figure 1: Email Body

 The email, shown in Figure 1, has been identified as a malicious email campaign in which threat actors are spoofing the domain of a legitimate company that provides disability and health equipment. This email appears to include a fake invoice link. Since this organization may genuinely send invoices as part of their regular operations, recipients are advised to be more cautious and verify the authenticity of such emails claiming to require payment or unexpected information. This tactic was used in conjunction with a message containing minimal information, relying on its ambiguity to mislead the recipient. It is designed to create stress, making you more likely to click the link without thinking twice, potentially exploiting split-second decision-making as it appears to be urgent or business-related. Short emails are also less likely to trigger spam filters or security tools that scan for suspicious or malicious content, as well as reducing the chance of grammar or spelling errors. 

 Figure2-(6).PNG

Figure 2: Fake Invoice Page


When the unsuspecting recipient clicks the link, they will be redirected to an invoice page hosted on script[.]google[.]com as shown in Figure 2. Initially, there are no obvious signs of malicious intent, but by keeping the banner and body ambiguous, the design is aimed to steer the recipient’s focus to the preview button and spark curiosity or urgency, making the threat less noticeable to the average observer.

 Figure3-(6).PNG

Figure 3: Phishing Page

Once the target clicks the “Preview” button on the fake invoice page, things start to take a malicious turn. In place of a genuine document or invoice, as seen in Figure 3, the preview button triggers a fraudulent login window to pop up – one that’s carefully designed to look like a legitimate login screen.

Because this entire setup is hosted on a Google domain (script[.]google[.]com), many users may already feel a sense of trust. “After all, it’s Google. What could go wrong?” That’s exactly what the attackers are counting on. By using a trusted platform to host the phishing page, the threat actor creates a false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking twice.

Figure4-(5).PNG

Figure 4: Final redirect page

Once the target enters their credentials, the phishing page immediately captures the data and transmits it to the attacker using a PHP script. It then automatically redirects the user to a legitimate Microsoft login page, seen in Figure 4, to avoid raising suspicion. With the stolen credentials, attackers can infiltrate sensitive systems, opening the door to data breaches or significant financial damage.
 
Phishing emails like these are a good example of how attackers take advantage of legitimate domains to make their scams look more convincing. It is important to stay vigilant and educate employees about the risk of phishing attacks. The Cofense Managed Phishing Detection and Response (MPDR) solution can help identify threats in real-time and improve your company's defenses against evolving threats.

Stage 1 - Observed Email Infection URL:
hXXps://script[.]google[.]com/macros/s/AKfyc.../exec?/owa/auth/logon[.]aspx?replaceCurrent=Fax_/outlook[.]office[.]com/mail/Vm1wR1lWVXITWGhXV0dST1ZsZG9WbGxVU2pSV2JGcHlWMjVrVldKSVFsaFdWelZMVWVWtkS1NWRnJXbGRTZWtZeldWUkdZV1JIVmtWUmJGcHGcHIWMjVrVldKSVFsaFdWelZMVWVWtkS1NWRnJXbGRTZWtZeldWUkdZV1JIVmtWUmJGcH BWa1paZWxZeFdtRlpWa2w1VWXod1lWSnRhSEJWYWTGNFRrWmtWMVWt6YUZSaVZscFl WbTAxVTJKR1NsVlNia0pYWVRKUUmVsUldXbHBsVlRWWIUyczVVMDfHY0V0V2JHUjNVVEp HYzFScldrNVNSWEJXVlRCa2VrMVdVbFzUYKvVwc1lrZDBOBpF0ZUhkFZscFhZbnBLVjAxdW FGUldNbk40VWpKT1lyRkZPVmROTUVWVmM1ZrWmtORk15VFhoVmEyaE9Va1phYzFadE5VS k5WbEYZvVWxFhHXXps://outlook[.]office365[.]com/Encryption/msi2auth64
Infection URL IP(s):
142.251.16.106
142.251.16.147
142.251.16.104
142.251.16.105
142.251.16.99
142.251.16.103
Stage 2 - Observed Payload URL(s):
hXXps://solinec[.]com/APi/1YjDl_aUXTsHrhxiufjU0fBe4d2wsameerm3wJl_LX[.]php
Payload IP(s):
167.250.5.66

All third-party trademarks referenced by Cofense, whether in logo form, name form, or product form, or otherwise, remain the property of their respective holders, and the use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time, based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

  

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.