GSuite red teaming — Google Groups phishing ruse
As part of a red team operation, I was recently researching on how to perform phishing where the target company uses Google Suite instead of the usual Windows and Microsoft Office environment, and I realized that there isn’t much content on the internet when compared to the phishing tactics and techniques available for Windows and Microsoft Office environment.
When Windows or Microsoft Office is in the picture, we would perhaps create a malicious executable or a macro in a Microsoft Word or Excel and then send an email to the target with the file, hoping that the target will execute our malicious EXE or macro and that it will bypass all the security mechanisms of Microsoft Office and EDR/AV on the endpoint to give us a reverse shell.
However, companies who rely heavily on GSuite often use Google as SSO for most of their third party tools and applications. So it is wise to hunt for Google credentials instead. As it turns out, there are a number of ways in which you can use Google’s internal services to target a company which relies on GSuite services for its day to day operations.
As part of the GSuite Red Teaming series, we will discuss one of the ways where we could utilize Google Groups, one of Google’s very useful service to phish employees of a target company.
Step 1:
Navigate to www.google.com and create an attacker Google account with name such as “Google Security” and email address such as “Gsuite-<country>@gmail.com”. The name and email is only limited to your imagination and the ruse you want to use. I wanted to use an email addresses such as “google-security@gmail.com” but Google’s security algorithms do not allow me to create any email address which have keywords like “google”, “privacy” or “security”.
Also, buy a phishing domain to host your fake Gmail login page. There are a number of tutorials available on the internet for this so I will only focus on the phishing tactic in this article. For demonstration purposes, I have used a URL shortener where the fake Gmail login page could be hosted.
Step 2:
Navigate to Google Groups from your attacker Gmail account and create a new Group called “Google Security”. You should put in a Group email address which matches the context of the ruse you are using.
In this example, we are warning the target that his/her gmail was logged in by someone from another country and he/she needs to reset the password by navigating to our phishing URL. We therefore use “google-security-singapore@googlegroups.com” as the group email address.
Step 3:
Make sure that you do not provide the target with any permission. This is to make sure that the target is completely blind when he receives the email.
Step 4:
Add your target email address as a Group member and mention your phishing text in the “Welcome message” The phishing text you use is again totally limited by your imagination. Make sure to select Subscription as “Each email” and select the toggle to “Directly add members”. This will add your target to the Google group without asking for their permission.
We noticed a new login to Gmail and wanted to make sure it was you. When: May 05, 2022 12:26:27 PM WIB Where: Jakarta, Jakarta, Indonesia IP Address: X.X.X.X Device/Browser: Mac OS X/Chrome If you recognize this activity, no further action is required. If this was not you, we recommend to change your password by visiting <malicious URL>
This should create your Google group and you can verify it in the dashboard.
At the same time, your target will receive an email from the domain “googlegroups.com” which will not be flagged as malicious by Google email gateway security algorithms.
As most of the employees these days are trained to pay attention to the domain in the “From” field of the email, this technique definitely will passes that test. Once the user logs in to your fake Gmail login page, you can redirect him/her to a fake reset password page, where you also grab the new password the user wants to change. Now that you have both the current password and the intended new password, you can manually change his/her password to the new password, just to avoid suspicion.
If you find such a login+password reset flow difficult to create, you can perhaps opt for a simple ruse to use with Google chat such as asking user to accept terms of service after logging into Gmail. Regardless, the idea is that Gmail’s algorithms will not warn the user against any malicious activity as the email comes from the trusted domain googlegroups.com.
With some luck, a few employees will click on the malicious URL and will gift their credentials to you on the fake login page that you host. As long as even 1–2 employees fall victim to this, you can use this technique (or other techniques that I will post later as part of this series) again to phish them internally.
I will try to post more articles on the GSuite Red Teaming series soon, so stay tuned.
