Google Docs used for Office 365 credential phishing

Phishers are using Google online services to take over Microsoft online service accounts.

Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsoft’s Office 365 suite has seen a lot more use — and, to no one’s surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft’s sign-in page. Here is another phishing scheme that makes use of Google services.

Phishing letter

As most phishing schemes, this one begins with a letter (and link) similar to this one:

A phishing letter with a Google Docs link

The unclear message from an unknown sender concerns some kind of deposit and includes a link having to do with “Deposit Advice.” The letter asks the recipient to check on the deposit type or confirm the sum. Now, although security systems alert recipients about the letter coming from outside the company, the link “to the file” passes muster because it connects to a legitimate Google online service, not a phishing site.

Phishing site

The link leads to a location that appears to be the OneDrive corporate service page. Users can even see that the document is available to any company user (made so likely in hopes someone will forward the link to a corporate accountant).

A Google Docs presentation that looks more like OneDrive's interface

But the screen users see is not truly a Web page; it’s a slide from a Google Docs presentation that automatically opens in View mode. The Open button on it can conceal any link at all. In this case, the link connects to a phishing page disguised as an Office 365 sign-in page.

Fake sign-in page

Red flags

To begin with, the letter looks weird. You should not trust — let alone forward — a letter whose source and purpose isn’t clear. In this case, for example, if you weren’t involved in a deposit, then perhaps you shouldn’t be taking any action regarding that deposit.

More evidence:

  • Letters from external sources don’t tend to link to a company’s internal documents;
  • Real financial documents are set to open for specific people, not every single person in an organization;
  • The filename in the letter does not match the one allegedly stored on OneDrive;
  • Google Docs does not host Microsoft OneDrive pages (see the browser address bar);
  • OneDrive is not Outlook, and an Open button in OneDrive should not lead to an Outlook sign-in page;
  • Outlook sign-in pages do not reside on Amazon websites (another browser address bar clue).

Each inconsistency should raise a flag, and together, they can leave no doubt: This is not a safe place for your Office 365 credentials.

How to stay safe

The key to digital safety lies in paying attention to details and being aware of phishing tricks. We also strongly recommend raising corporate awareness about current cyberthreats (our training is available online).

In addition to training staff, make use of link-screening tools at the corporate and workstation levels.