Phishing for Office 365 logins using Google Cloud Services


Fraudsters are constantly looking for new ways of collecting login details. Malicious individuals have increasingly turned to public cloud services to host lure documents and phishing pages. This has made it increasingly more difficult for targets to detect attacks. This trend has seen an increase, especially among cyber criminals who utilize cloud services to host phishing landing pages and lure documents redirecting to them. 

Unfortunately, this past year malicious actors devised a scenario that used legitimate elements to cover up the theft of Office 365 credentials in a phishing campaign.   

A report by researchers at Check Point revealed that the attackers relied on Google Drive to host a malicious PDF document and Google’s “storage.googleapis[.]com” to host the phishing page. Cyber criminals are not only maliciously using Google’s cloud services to deploy their attacks. Microsoft Azure, Microsoft Dynamics, and IBM Cloud have also been abused in the recent phishing campaigns according to BleepingComputer. 


Phishing Attack Simulation 

LIFARS’ Cyber Resiliency Team can help you with simulating a real phishing attack to your organization and increase your overall security. 


The PDF was created to look as if it was a gateway to content available through web-based collaborative platform SharePoint, notes Check Point. In the case that the victim takes the bait and follows the Access Document link, the phishing page hosted in Google Cloud Platform loads asking to log in using Office 365 credentials or an organization’s ID. Once this step is completed by the victim, an Outlook login pop-up window launches to complete the alleged login and provide access to the requested document.  

Check Point emphasizes that it would be difficult for victims to spot the scam. This is because the pages load from legitimate sources and as the end of the process a genuine PDF document from a reputable company is delivered.   

The source code reveals that the resources for the landing pages are loaded from a third-party location, “prvtsmtp[.]com.” 

Another trick observed in more recent attacks may leave victims clueless of the phishing attacks. Researchers explain that attackers are using Google’s Cloud Functions service. This allows running code in the cloud, which allows loading the resources for the phishing page without revealing the attacker’s domain.  

Check Point said that, “Investigating prvtsmtp[.]com showed that it resolved to a Ukrainian IP address (31.28.168[.]4). Many other domains related to this phishing attack resolved to the same IP address, or different ones on the same netblock.”  

Using this, researchers were able to track the attacker’s activity back to 2018. That was when they hosted the phishing pages directly on a malicious website. However, they then switched to Azure Storage and Google Cloud. Google has stated that it suspended the malicious files and the URL no longer works as well.  

For more information on phishing and how we can help you assess your resiliency against such attacks, see our “Phishing Attack Simulations and Effective Measures to Prevent Them” whitepaper.