Attackers Use Google Forms to Select Targets for Business Email Compromise
Proofpoint Threat Researchers discovered attacks using Google Forms to bypass email security content filters, which work off known keywords. The use of Google Forms is not new but allows for the benefits of scale and legitimacy by utilizing Google Services for social engineering attacks, most associated with BECs (Business Email Compromises).
Using Google Forms allows threat actors to compose and send their emails to evade email filters. The subjects used in the emails are unique names of low-level executives from within the target organization. Its important to note that no attempt is made by the actors to utilize display-name spoofing, and the emails are simple but convey a sense of urgency, often urging the recipient to perform a “quick task” on behest of the executive named in the email’s subject line.
In one instance, the actors demanded a “quick task” from the user in response to the actor who claims to be heading into a meeting or is otherwise too preoccupied to handle the task themselves. The link in the email leads the user to a default, untitled form hosted on Google Forms’ infrastructure. The primary goal is to elicit a reply from the victim, under the pretext that the survey is broken or not what they expected. As a secondary goal, the form likely serves as a sensor to simply see if anyone fills out their form, functioning as a reconnaissance technique to weed out users who may be susceptible to clicking a suspicious link found in an email.
Although the messages may appear poorly written, there is still a threat in either responding to or completing the benign form because user action may lead to follow on actions scoped to a more receptive audience.
While social engineering is widely used throughout email-based attacks, it is utilized differently in malware and credential phishing than in BEC campaigns. In a malware campaign, social engineering is used in the initial email. Conversely, in BEC, social engineering is used through all stages of the fraud. Although rare, we observe actors delivering malware after the exchange of benign messages.
IOCs:
- Email Addresses
Sources: