A new phishing tactic was discovered that takes advantage of Google Accelerated Mobile Pages (AMP), which is known to be successful in bypassing email security infrastructure.
An open-source HTML framework called Google AMP is used to create websites that are mobile and browser compatible. Google’s servers host AMP pages, where content is streamlined and some of the heavier media elements are pre-loaded for quicker delivery.
Threat actors have begun using Google AMP URLs as links inside their phishing emails as part of a new strategy. These links have a track record of successfully contacting enterprise-level workers since they are hosted on trusted domains.
The purpose of utilizing Google AMP URLs in phishing emails is to prevent email protection technology from flagging messages as fraudulent or suspicious owing to Google’s reputation.
The AMP URLs cause a redirection to a fraudulent phishing website, and this extra step also adds an analysis-disrupting layer.
Notably, the usage of URLs in phishing attacks targeting employee login credentials first surfaced in May 2023 and has persisted as of the time of this writing.
According to the Confense report, URLs are extremely effective at reaching consumers in environments protected by secure email gateways (SEGs).
“Out of all the Google AMP URLs we have observed, approximately 77% were hosted on the domain google.com and 23% were hosted on the domain google.co.uk”, reports Confense.
“The URL pathing is a good indicator for this phishing campaign, but it is difficult to outright block “google.com/amp/s/” due to the legitimate uses.”
Observed Strategies Used In The Campaigns
Trusted domains are frequently utilized across all stages of phishing attempts, not simply the first Google domain.
Several campaigns utilizing the Google AMP approach have seen URL redirection as a component of the URL as well as an additional stage. Disrupt analysis gains a new layer as a result of this.
Image-based phishing emails have been utilized. By substituting an ordinary text body with an encoded HTML image that has a malicious embedded link and is clickable by the receiver, the threat actor can disrupt analysis.
“The lures behind these emails have varied, but are primarily email notifications, requests, reminders, shared files, or are finance related,” Confense.
Cloudflare CAPTCHA is not surprising that it has surfaced because it has been a frequently employed tactic in phishing attacks. The use of CAPTCHA services disrupts automatic analysis and necessitates a manual examination of each phishing campaign.
Campaigns that apply this tactic have shown to be quite elusive, and they also use other TTPs that are known to get around email security infrastructure.