Google Mail Merge Notification Used in Phishing Attack

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick...
Author abnormal security
Abnormal Security
February 19, 2021

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick unsuspecting users and gain access to entire Google Workspace accounts.

Summary of Attack Target

  • Platform: Google Workspace
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Phishing Attack

It is not uncommon to receive a notification from Gmail regarding a range of different account activities. This attack in particular uses this method by mimicking an automated Gmail message, claiming that a request was made to add an email to the recipient's account.

The attackers pose as an automatic email merger notification, stating that a request was made to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours. If the recipient does not want the account to be merged, they are instructed to click the provided link to decline the request.

The "Decline request" link leads to a fraudulent Google page where the user can either acknowledge or decline the request.

After the recipient makes their choice and clicks the Next button, they are redirected to an impersonated Outlook sign-in page—an interesting tactic given that this email was sent to Google users. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why the Google Impersonation Attack was Effective

The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign-in page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.


Many existing security measures do not properly analyze attack language. Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body, which contains language commonly observed in phishing attacks, and the fact that the email comes from a sender that is not usually seen. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply-to domain. Taken together, these signals indicate that the email is malicious and it is blocked before reaching user inboxes.

To see how Abnormal Security can stop suspicious emails from targeting your employees, request a demo today.

Google Mail Merge Notification Used in Phishing Attack

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

BC 5 31 23 Vendor Risks
Vendor Email Compromise
An Overview of Vendor Risks: Tips for Vendor Procurement and Security Assessments
Learn the biggest risks associated with your vendor relationships and how to protect your organization from Vendor Email Compromise (VEC) attacks.
Read More
B 5 30 23 Teams
Product
Teams Spirit: How Abnormal Protects Microsoft Teams From Advanced Threats
See how Abnormal's advanced security solutions protect Microsoft Teams workspace from malicious attacks and account takeovers.
Read More
Zoom BC
Product
Zooming In: How Abnormal Protects Zoom from Advanced Threats
Discover how Abnormal protects your Zoom messages and prevents attackers from using the application to breach your business.
Read More
B 5 22 23 SOC
Product
Three Ways Abnormal Streamlines Email Security and SOC Operations
Discover how Abnormal simplifies detection, enhances investigation, and automates remediation, increasing threat investigation efficacy at the SOC level.
Read More
B Phishing
Credential Phishing
What to Do After Receiving a Phishing Attack
Knowing what to do after receiving a phishing attack is essential for preventing costly consequences. Learn how to respond to Phishing attacks.
Read More
B 5 15 23 Israel BEC
Attack StoriesBusiness Email Compromise
Israel-Based Threat Group Launches Multi-Phase BEC Attacks Using an M&A Lure
Abnormal research into an advanced Israel-based threat group puts a spotlight on the continuing rise of BEC attacks.
Read More