There is a new, highly effective, phishing technique targeting Google G Suite users that is gaining popularity amongst attackers and even experienced technical users are being hit by this one.
The attack, which was first reported by Wordfence, starts like most attacks, via an email. That email will more than likely come from someone you know. In the email there will be a link or image, which when followed take you to a Google sign-in page. At first glance you will see accounts.google.com in the location bar.
and below in the browser, you’ll see a fully functional sign-in page like this:
However after you login, the attacker will immediately access your G Suite account, locate one of your emails with an attachment and send a phishing attack email to everyone in your contact list, using the subject and attachment of a valid email.
This phishing attack uses ‘data URI’ to include a script within the location bar.
CloudManager users will be warned by the Anti-phishing Chrome extension that they are being transferred to a non-G Suite domain.
If 2-step verification is enabled the attacker will not be able to access the account and your administrator will be notified about the attempted attack.
For those not using CloudManager, if you haven’t already, you should activate 2-step verification in Gmail.
If you or someone in your organisation has clicked on a link which you feel may be malicious, immediately change your Gmail password, go to the Gmail account activity page where you can see any active sessions and close down any which you feel may be compromised.