Protect Your Google Accounts: 5 Ways Cybercriminals Exploit Google Services

Google plays an important role in our online lives, offering tools like Gmail, Google Drive, and Google Ads that support both personal and professional needs. However, this widespread trust in Google services also makes them a target for cybercriminals.

Attackers continuously find ways to exploit Google’s trusted platforms and features to carry out phishing attacks, steal sensitive information, and distribute malware. In this article, we’ll explore five common tactics cybercriminals use to abuse Google services and examine the strategies behind each method.

An open redirect vulnerability occurs when a web application allows users to specify a redirect URL without proper validation. Attackers exploit this vulnerability in Google services to create malicious links that appear to originate from the trusted google[.]com domain.

Here’s how it works:

1. An attacker identifies a redirect parameter in Google services, such as redirect= or url=, that doesn’t validate the destination URL.

2. They then create a malicious link.

Example:

https://google.com/redirect?url=https://malicious-site.com

3. This link is embedded in phishing emails, often with hyperlink text concealing the true destination, making it more difficult for targets to notice the redirection.

4. When targets click the link, they are redirected first to Google’s domain and then, pretty much instantly, to the attacker-controlled phishing site.

The use of Google’s trusted domain enables attackers to not only deceive employees but also legacy security tools. Because traditional security solutions typically analyze only the top-level domain and not the entire URL, they wouldn’t detect the phishing link attached to the “safe” domain. This makes it easier for attackers to bypass security systems and trick targets into providing sensitive information.

Google Translate is a widely used tool that can translate text and web pages, but its functionality is often exploited to disguise phishing links. The redirection process routes users through Google’s domain, making the link seem genuine.

This is how the attack plays out:

1. Attackers first encode the domain of a phishing site to fit within Google Translate’s URL format.

Example:

malicious-site.com

which becomes:

malicious-site-com

2. They then append this domain to a Google Translate URL.

Example:

https://malicious-site-com.translate.goog/?hl=en&_x_tr_sl=auto&_x_tr_tl=en

3. Clicking the link—which is often distributed via a malicious email—redirects the target to the phishing site within the Google Translate interface. The URL retains Google branding and the phishing page typically loads with a Google Translate banner at the top, adding legitimacy to the attack.

Google Translate’s interface and .goog domain mask the true nature of the phishing site. Users trust the link because it originates from a familiar service, making them less suspicious. The attackers may also serve phishing pages in multiple languages, targeting a broader audience while leveraging Google Translate’s credibility.

Google Drive’s "Email this file" feature lets users share files directly via email, originating from the drive-shares-noreply@google[.]com domain. Attackers abuse this feature to send phishing emails that are essentially identical to real document-sharing notifications.

Here’s the step-by-step process:

1. The attacker gains access to a Google Workspace account, which allows for customization of the profile name and photo.

2. They modify their profile to impersonate a trusted contact, such as a colleague or manager.

3. The attacker creates a Google Doc and gives it a filename that appears authentic—e.g., “Updated Payroll Guidelines.”

4. They then add malicious content to the Google Doc, such as a link to a phishing page or instructions to download what seems to be a legitimate file but is actually malware.

5. Using the "Email this file" feature, the attacker sends the document to the target. The email includes the impersonated name and document content in the body, making it appear genuine.

Emails from Google’s trusted domain will rarely be flagged by email security filters. The attacker’s ability to impersonate a known contact further reduces the chances of arousing suspicion in the end user, making this tactic highly effective in targeted phishing campaigns.

Google Docs comments are a useful collaboration feature, but attackers abuse them to send phishing links.

Here’s how the exploit works:

1. An attacker creates a Google Doc and adds a comment with a phishing link.

2. They tag the target’s email address in the comment using the “@” symbol.

3. Google automatically notifies the tagged individual with an email that includes the comment’s text and any embedded links.

Once again, because the email originates from a trusted domain, it is unlikely to be flagged by legacy security solutions. Further, many email security tools inspect URLs that are directly included within the body of an email but may not follow links embedded within a preview of a Google Doc comment.

Google Ads is a powerful platform for advertisers, but cybercriminals exploit it by hijacking ad accounts. These accounts are used to run malicious campaigns that redirect users to phishing sites.

This is how the attack unfolds:

1. Attackers gain unauthorized access to a legitimate Google Ads account by stealing credentials or purchasing access on cybercrime forums.

2. They modify existing ad campaigns or create new ones, often targeting high-traffic keywords related to banking portals or popular apps.

3. The ads present as legitimate, but the final URL is altered to redirect users to a phishing page or a site delivering malware.

4. Attackers may use cloaking techniques to show legitimate content to Google’s review systems while serving malicious pages to real users.

Hijacked Google Ads accounts already have established trust, high spending limits, and approved ad campaigns, making them ideal for large-scale phishing operations. Users are more likely to trust links in ads, especially when they appear to promote well-known brands.

Abnormal leverages advanced AI to detect and block phishing attempts that exploit trusted platforms like Google Drive, Google Docs, Google Ads, and more.

Abnormal also utilizes behavioral data to analyze the unique communication patterns of employees and vendors across your organization. By identifying high-risk anomalies with precision, it can detect and remediate advanced email threats that evade legacy security systems—eliminating opportunities for end-user engagement and strengthening your organization’s defense.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.