Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A newly emerged phishing campaign is capable of bypassing defences to MFA codes and credentials.
Researchers at identity security firm KnowBe4’s Threat Labs have observed a highly advanced phishing campaign using Google’s AppSheet development platform to impersonate Meta and PayPal
First observed in March, the campaign appears to have peaked on 20 April, when more than 10 per cent of all global phishing emails identified and stopped by KnowBe4 were sent from AppSheet.
The vast majority, 98.2 per cent, impersonated Facebook’s parent company, while the rest impersonated PayPal.
The scammers are taking advantage of AppSheet’s workflow automation to send massive amounts of phishing emails, and since they come from a legitimate address – [email protected] – they can bypass Microsoft’s protection and secure email gateways that use reputation checks.
“In addition to leveraging a legitimate domain, this campaign also impersonated Meta (Facebook), using forged branding and urgent language – such as warnings about account deletion – to pressure recipients into taking immediate action,” KnowBe4 said.
“The use of a trusted brand like Meta helps lower suspicion and increase user engagement, making the phishing emails and the subsequent credential harvesting site appear more credible.”
The emails appear to be from the Facebook support team and even feature unique case IDs created by AppSheet. In addition, the campaign utilises unique polymorphic identifiers in each email to make subtle changes to its contents, another trick to bypass detection systems that rely upon known malicious URLs and other static indicators. This poses a challenge for IT teams and makes remediation difficult.
The emails feature links that appear to lead to an online appeals form, which again looks legitimate, complete with Meta logos and branding. This page says the victim’s Facebook account is at risk of deletion to pressure them into giving away personal information and credentials.
The phishing site also operates as a man-in-the-middle proxy, sending login and MFA codes to a legitimate Facebook site and then hijacking that session to obtain a valid session token in order to bypass two-factor authentication and gain access to the victim’s account.
“The exploitation of AppSheet is part of a broader trend of using legitimate services to bypass traditional email security detections; a pattern our Threat Labs team has observed in recent analyses of other services like Microsoft, Google, QuickBooks, and Telegram,” KnowBe4 said.
“This tactic, in combination with sophisticated impersonation, man-in-the-middle techniques and social engineering makes this campaign highly advanced and engineered to bypass detection technologies used in Microsoft 365 and SEGs.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
