
Cybercriminals have discovered a novel method for circumventing security systems by hosting phishing pages on the Google Apps Script platform. This approach enables them to disguise malicious websites as legitimate ones, thereby harvesting user credentials without raising suspicion from antivirus software or traffic filtering systems.
According to researchers at Cofense, the attackers distribute emails masquerading as invoices or tax notifications. Embedded within the message is a link leading to a web page hosted on the Google domain — script.google.com — allowing it to bypass most filtering mechanisms without triggering alarms. The primary objective is to lure the recipient into entering their login credentials on a counterfeit sign-in page, visually indistinguishable from the genuine interface.
Google Apps Script is a cloud-based platform built on JavaScript, designed to automate workflows and extend the capabilities of Google Workspace applications, including Google Sheets, Docs, Drive, and Gmail. One of its notable features is the ability to publish custom scripts as public web applications, which are assigned Google domain URLs. This is precisely what the attackers exploit, embedding fraudulent login forms within Google’s trusted infrastructure.
Upon entering their credentials, the victim is redirected to the legitimate service, creating a convincing illusion of authenticity while granting the attackers sufficient time to exploit the compromised accounts. The stolen data is exfiltrated through a concealed request, imperceptible to the user.
The danger of this technique lies in the attackers’ ability to dynamically manage their campaigns — they can alter the script’s content at any moment without changing the link, allowing them to effortlessly adapt the bait and avoid relaunching entire phishing campaigns.
Experts urge organizations to tighten scrutiny of links pointing to cloud service domains, including Google Apps Script, and, where possible, to restrict or block access entirely. This is especially critical for institutions handling sensitive information or managing corporate accounts. Google has previously implemented measures to combat phishing attacks within its ecosystem.
At the time of publication, Google had not provided any comment regarding potential safeguards against such misuse.