chat
expand_more

Google Mail Merge Notification Used in Phishing Attack

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick...
February 19, 2021

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick unsuspecting users and gain access to entire Google Workspace accounts.

Summary of Attack Target

  • Platform: Google Workspace
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Phishing Attack

It is not uncommon to receive a notification from Gmail regarding a range of different account activities. This attack in particular uses this method by mimicking an automated Gmail message, claiming that a request was made to add an email to the recipient's account.

The attackers pose as an automatic email merger notification, stating that a request was made to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours. If the recipient does not want the account to be merged, they are instructed to click the provided link to decline the request.

The "Decline request" link leads to a fraudulent Google page where the user can either acknowledge or decline the request.

After the recipient makes their choice and clicks the Next button, they are redirected to an impersonated Outlook sign-in page—an interesting tactic given that this email was sent to Google users. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why the Google Impersonation Attack was Effective

The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign-in page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.


Many existing security measures do not properly analyze attack language. Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body, which contains language commonly observed in phishing attacks, and the fact that the email comes from a sender that is not usually seen. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply-to domain. Taken together, these signals indicate that the email is malicious and it is blocked before reaching user inboxes.

To see how Abnormal Security can stop suspicious emails from targeting your employees, request a demo today.

Google Mail Merge Notification Used in Phishing Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Most Interesting Attacks Q1 2024
Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
Read More
B MKT499 Images for Customer Blog Series
Discover key industry trends and insights from cybersecurity leader Michael Marassa, CTO of New Trier Township High School District 203.
Read More
B Construction Professional Services QR Code Attacks
Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
Read More
B 1500x1500 Evolving Abnormal R2
From the beginning, we created Abnormal Security to be a generational company that protects people from cybercrime. Here’s how we’re doing it.
Read More
Blog Cover 1500x1500 Images for SOC Time Blog
Discover the critical tasks that occupy SOC analysts’ schedules beyond mere inbox management, and discover insights into optimizing efficiency in cybersecurity operations.
Read More
B 1500x1500 MKT494 Top Women in Cybersecurity
In honor of Women's History Month, we're spotlighting 10 women leaders who are making invaluable contributions to cybersecurity.
Read More