🚨 Executive Summary
Attackers are running a new Gmail phishing campaign that abuses a weaponized login flow to harvest credentials and bypass traditional security controls. Unlike conventional phishing kits, this attack leverages legitimate-looking Google authentication flows embedded with malicious redirections, creating high-trust deception for victims.
Impact:
- Theft of Gmail/Workspace credentials.
- Potential compromise of SSO-linked enterprise accounts.
- Risk of supply-chain breaches through Google Drive/Docs sharing.
🔎 Attack Flow Breakdown
- Initial Vector — Email Lure
- Victims receive a phishing email disguised as:
- Google Drive file share
- Security notification (“Your account will be disabled”)
- Invoice/HR notifications with embedded login links.
- Victims receive a phishing email disguised as:
- Weaponized Login Redirect
- The link leads to a crafted login portal hosted on compromised or attacker-controlled infrastructure.
- Attackers use embedded OAuth flows or Google-styled HTML templates.
- Credential Harvesting
- Once the victim enters email + password, credentials are captured.
- In some cases, the phishing kit also prompts for 2FA codes or attempts Adversary-in-the-Middle (AitM) interception.
- Post-Exploitation
- Stolen credentials are used to:
- Access Gmail/Workspace.
- Hijack Google Drive/Docs for further phishing (“reply-chain phishing”).
- Move laterally into enterprise accounts tied to Google SSO.
- Stolen credentials are used to:
🎯 Why This Attack Works
- High-trust deception: Pages mimic legitimate Google login workflows.
- Real branding: Embedded icons, certificates, and “https://” hosting tricks.
- Multi-step flow: Victims are led through what feels like a real Gmail sign-in, reducing suspicion.
- AitM capability: Captures MFA tokens in real-time.
🛡️ Detection & Defense
Indicators of Attack (IOAs)
- Emails with links to non-Google domains (but disguised with
docs.google.comtext). - Login prompts served from compromised WordPress, Shopify, or static site hosts.
- Shortened links (
bit.ly,tinyurl) pointing to “Google login.”
Defender Actions
- Email Gateway Rules:
- Block messages with “Google login” text but non-Google domains in URLs.
- Browser Security Controls:
- Enable Safe Browsing and reputation-based URL filtering.
- MFA Hardening:
- Promote FIDO2/WebAuthn keys instead of SMS or app-based OTPs (mitigates AitM).
- User Awareness:
- Train users to always verify auth URLs →
accounts.google.com.
- Train users to always verify auth URLs →
⚡ Threat Hunting Queries
Splunk — Suspicious OAuth Logins
index=google_workspace sourcetype=gsuite:login
| search LoginType="OAuth"
| where not like(ClientApp, "%Google%")
| table _time, User, ClientApp, IPAddress
Elastic KQL — MFA Bypass Attempts
event.dataset : "gsuite.login"
and outcome.result : "Success"
and source.ip : ("suspicious ranges")
and authentication.type : "MFA"
🛠️ Incident Response Steps
- Reset compromised accounts immediately.
- Invalidate OAuth tokens tied to suspicious apps.
- Review email forwarding rules (attackers often set persistence here).
- Search for reply-chain phishing from compromised mailboxes.
- Rotate sensitive credentials linked to Google SSO.
📌 CyberDudeBivash Verdict
This Gmail phishing wave is next-gen social engineering, blending weaponized login flows with real-time MFA bypass. Enterprises relying on Google Workspace should treat this as high priority, enforce phishing-resistant MFA, and deploy email + browser detection controls immediately.
#CyberDudeBivash #Phishing #Gmail #GoogleWorkspace #CredentialTheft #ThreatIntel #BlueTeam #IncidentResponse #AitM #ZeroTrust
Cyberdudebivash 
Leave a comment