Google Mail Merge Notification Used in Phishing Attack

February 19, 2021

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick unsuspecting users and gain access to entire Google Workspace accounts.

Summary of Attack Target

  • Platform: Google Workspace
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Phishing Attack

It is not uncommon to receive a notification from Gmail regarding a range of different account activities. This attack in particular uses this method by mimicking an automated Gmail message, claiming that a request was made to add an email to the recipient's account.

The attackers pose as an automatic email merger notification, stating that a request was made to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours. If the recipient does not want the account to be merged, they are instructed to click the provided link to decline the request.

The "Decline request" link leads to a fraudulent Google page where the user can either acknowledge or decline the request.

After the recipient makes their choice and clicks the Next button, they are redirected to an impersonated Outlook sign-in page—an interesting tactic given that this email was sent to Google users. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why the Google Impersonation Attack was Effective

The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign-in page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.

Many existing security measures do not properly analyze attack language. Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body, which contains language commonly observed in phishing attacks, and the fact that the email comes from a sender that is not usually seen. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply-to domain. Taken together, these signals indicate that the email is malicious and it is blocked before reaching user inboxes.

To see how Abnormal Security can stop suspicious emails from targeting your employees, request a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More