In early December 2020, Proofpoint Threat Research observed attackers using Google Forms to bypass email security content filters based on keywords. The use of Google Forms is not new and is routinely observed in credential phishing campaigns. This hybrid campaign combines the benefits of scale and legitimacy by leveraging Google Services with social engineering attacks, more commonly associated with BEC. We observed thousands of messages predominantly delivered to retail, telecommunications, healthcare, energy, and manufacturing sectors.
Google Forms allows actors to compose and send their emails to evade ingress and egress email filters. The subjects are unique names of C-level executives from the target organizations, with no attempt to utilize display-name spoofing. The emails are simple but convey a sense of urgency. They demand a "Quick Task" from the user in response to the actor who claims to be heading into a meeting or too preoccupied to handle the task themselves. The actor politely asks the user if they "have a moment", a common opener in Gift Card fraud. Here is an example of the BEC message:
Figure 1: BEC email and attached Google Form
The link in the email leads the user to a default, untitled form hosted on Google Forms' infrastructure. The primary goal is to elicit a reply from the victim, under the pretext that the survey is broken or not what they expected. As a secondary goal, the form likely serves as a sensor to simply see if anyone fills out their form, functioning as a reconnaissance technique to weed out users who may be susceptible to clicking a suspicious link found in an email.
Although these messages may appear primitive, there is still a threat in either responding to or completing this benign form because user action may lead to follow on actions scoped to a more receptive audience. Here is an example form:
Figure 2: Google Form
Given the C suite spoofing, we expect that this is an email reconnaissance campaign to enable target selection for undetermined follow-on threat activity. The tone of urgency in the emails is consistent with previous BEC actors, and therefore, we want to ensure security awareness of these attempts as an indication or warning to customers and the security community.
While social engineering is pervasive throughout email-borne attacks, it is employed differently in malware and credential phishing than in BEC campaigns. In a malware campaign, social engineering is used in the initial email. Conversely, in BEC, social engineering is used throughout the lifecycle of the fraud. Although rare, we observe actors delivering malware after the exchange of benign messages.