A new phishing tactic utilizing Google Accelerated Mobile Pages (AMP) has hit the threat landscape and proven to be very successful at reaching intended targets. Google AMP is an open-source HTML framework used to build websites that are optimized for both browser and mobile use. The websites that we observed in these campaigns are hosted on Google.com or Google.co.uk, both of which are considered trusted domains to most users. This phishing campaign not only employs Google AMP URLs to evade security, but also incorporates a multitude of other tactics, techniques, and procedures (TTPs) known to be successful at bypassing email security infrastructure.
Key Points
- A new tactic employed by threat actors utilizes Google AMP URLs as links embedded within their phishing emails. These links are hosted on trusted domains and have proven to be successful at reaching enterprise-level employees.
- Google AMP URLs used in phishing recently emerged during May of 2023 and have continued to be disseminated since the time of this writing, targeting employee login credentials.
- The campaigns using this tactic have proven to be very evasive and are employing other TTPs known to bypass email security infrastructure. The following tactics have been observed by Cofense to be incorporated into the campaigns using Google AMP URLs:
- Trusted domains are often used throughout each stage of the phishing campaigns, not just including the initial Google domain.
- URL redirection as part of the Google AMP URL as well as an additional stage has been seen throughout several campaigns using the Google AMP tactic. This adds an extra layer to disrupt analysis.
- Image-based phishing emails have been used. This allows the threat actor to disrupt analysis by replacing a normal text body with an encoded HTML image that contains the malicious embedded link, which is clickable by the recipient.
- Cloudflare CAPTCHA has been a commonly abused tactic in phishing campaigns, therefore it is no surprise they have appeared here. CAPTCHA services disrupt automated analysis and require each phishing campaign to be manually analyzed...Read More!
