Home Articles How Scammers Targeted Google Docs & Microsoft Sway to Steal User Credentials

How Scammers Targeted Google Docs & Microsoft Sway to Steal User Credentials


Recently, researchers revealed that hackers targeted Google Docs and Microsoft Sway to steal user credentials. Read on to know more about it…

Amid the global pandemic, cybercriminals are increasingly using coronavirus as a lure to trick unfocused users by capitalising on their fear and uncertainty.

Security researchers disclosed that they have identified a new type of impersonation attack that is using Google file sharing and storage websites like Google Docs to trick victims into sharing login credentials.

Of the nearly 100,000 form-based attacks detected between January 1 and April 30, Google Docs were used in 65 per cent of attacks, making up 4 per cent of all spear-phishing attacks in the first four months of 2020, said Barracuda Networks, a leading provider of cloud-enabled security and data protection solutions.

Modus Operandi
In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials. The hackers impersonated emails that appear to have been generated automatically by a legitimate file-sharing site such as OneDrive and takes their victim to a phishing site through a legitimate file-sharing site.

Another tactic is creating an online form using legitimate services like forms.office.com. The forms resemble a login page of legitimate service, and the link to the form is then included in phishing emails to harvest credentials. The security researcher said that these impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations.

Getting access to accounts without passwords is another attack variant where the original phishing email contains a link that looks like a usual login page. The link contains a request for an access token for an app. After login credentials are entered, the user is presented with a list of app permissions to accept. By accepting these permissions, the attacker can get to use the same login credentials to access the account. Even two-factor authentication cannot refrain the spammers to perform such phishing attacks as the malicious app gets approved by the user to access accounts.

Magnitude of Attacks
In the recent form-based attacks, attackers leveraged 25 per cent storage.googleapis.com, 23 per cent docs.google.com, 13 per cent storage.cloud.google.com and 4 per cent drive.google.com.

In comparison, Microsoft brands were targeted in 13 percent of attacks: onedrive.live.com (6 per cent), sway.office.com (4 per cent), and forms.office.com (3 per cent). The other sites used in impersonation attacks include sendgrid.net (10 per cent), mailchimp.com (4 per cent), and formcrafts.com (2 per cent). All other sites made up six percent of form-based attacks.

While such attacks cannot be eliminated easily, business organisations can establish strategies that use artificial intelligence to detect and block attacks, such as account takeover and domain impersonation. They must also have a solution in place that uses machine learning to analyse normal communication patterns within your organization, instead of relying solely on looking for malicious links or attachments. They must also facilitate multi-factor authentication and two-step verification for online accounts that can provide an additional layer of security beyond username and password, such as an authentication code, thumb print, or retinal scan. Organisations must track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.


Please enter your comment!
Please enter your name here

+ 16 = 17