Google Mail Merge Impersonation - Abnormal Security

Google Mail Merge Impersonation

In this attack, credential phishing attackers send urgent impersonated account messages to trick recipients into giving up their credentials.

Quick Summary of Attack

Platform: G Suite
Mailboxes: 15,000 – 50,000
Victims: Employees
Payload: Malicious Link
Technique: Impersonation

What was the attack?

Setup: It is not uncommon to get a notification from Gmail regarding a range of different account activity. This attack, in particular, uses this method by mimicking an automated Gmail message claiming there was a request made to add an email to the recipient’s account.


Email Attack: The attackers pose as an automatic email merger notification stating that there was a request to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours but, if the recipient does not know the account to be merged, to click the provided link to decline the request. The link leads to a fraudulent Google page to either acknowledge or decline the request. 

Payload: After the recipient chooses next, they are redirected to an impersonated Outlook sign-in page. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why was this attack effective?

Convincing landing page: The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign in landing page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.

Many existing security measures do not properly analyze attack language which is pervasive in over 70% of attacks.  Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body which contains language commonly observed in phishing attacks and the email coming from a sender not usually seen for this particular organization. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply to domain. 

Related content