Summary:
A phishing campaign leveraging Google Drawings and WhatsApp URL shorteners to evade detection and compromise user accounts has been identified by security researchers at Menlo Security. The attack commences with a phishing email directing recipients to a seemingly legitimate Amazon account verification link hosted on Google Drawings. This link, upon activation, redirects users through multiple obfuscated URLs, that deceive security scanners, to a fraudulent Amazon login page designed to harvest sensitive information such as credentials, personal information, and credit card information. The attackers exploit the trust associated with Google and WhatsApp to bypass security measures and increase the likelihood of user interaction. Additionally, the use of CSS manipulation within phishing emails has been discovered, potentially allowing attackers to conceal security warnings like the “First Contact Safety Tip” alert that tells users when the email received is from an unknown address. Microsoft has acknowledged this issue, but relegated it to their backlog and has yet to release a fix.

Security Officer Comments:
The described phishing campaign represents a sophisticated attack vector that capitalizes on user trust in well-known platforms. By hosting malicious content on Google Drawings and employing URL shorteners, attackers effectively obscure the true nature of the threat, increasing the potential for successful phishing attempts. The integration of CSS manipulation further exacerbates the issue and increases the success of the attempts by circumventing security measures designed to protect users from phishing attacks. This incident underscores the evolving tactics employed by cybercriminals and highlights the need for robust, comprehensive cybersecurity solutions that can effectively detect and mitigate such threats. Organizations must prioritize user education and awareness regarding phishing attacks but chiefly focus on investing in advanced security technologies capable of identifying and blocking malicious content hosted on trusted platforms. Furthermore, the abuse of legitimate services like Google Drawings emphasizes the importance of platform providers implementing stringent security measures to prevent their services from being exploited for malicious purposes.

Suggested Corrections:
IOCs for this campaign are published in this PDF.

The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:

• Do not open emails or download software from untrusted sources
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Backup important files frequently and store them separately from the main system
• Protect devices using antivirus, anti-spam, and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately

Link(s):
https://thehackernews.com/2024/08/new-phishing-scam-uses-google-drawings.html

https://www.menlosecurity.com/blog/...sapp-zero-hour-open-redirection-phish-exposed

https://certitude.consulting/blog/en/o365-anti-phishing-measures/

PDF: https://info.menlosecurity.com/rs/281-OWV-899/images/Decoding-Google-Drawing-and-WhatsApp-Open-Redirection-Phishing_Report.pdf