Google Docs and Weebly Weaponized in New Phishing Scheme

A recent phishing campaign, uncovered by EclecticIQ researchers, highlights the lengths attackers will go to exploit trusted platforms and infrastructure. Financially motivated threat actors targeted the telecommunications and financial sectors using Google Docs to deliver phishing links and Weebly to host fake login pages. This strategic combination of legitimate platforms allowed attackers to bypass standard email filters and endpoint defenses, enhancing the credibility of their malicious schemes.

The attackers’ approach relied on embedding malicious links in Google Docs presentations, which redirected victims to phishing sites hosted on Weebly. EclecticIQ’s report explains, “By using Google’s trusted domain for initial delivery, attackers bypassed standard email filters and endpoint protections, leveraging reputable platforms to evade detection and increase user trust.”

On Weebly, the phishing pages mimicked the login screens of prominent brands, including AT&T and financial institutions in the U.S. and Canada. These carefully tailored pages aimed to deceive victims into entering their login credentials, multi-factor authentication (MFA) codes, and other sensitive information.

US-based telecommunications-institution themed phishing login page | Image: EclecticIQ

By leveraging Google Docs and Weebly, attackers were able to obscure their malicious intent. The report highlights, “Google Docs-hosted files are less likely to be flagged as malicious from anti phishing tools compared to traditional phishing methods.” Similarly, the legitimate appearance of Weebly-hosted domains further reduced scrutiny.

Adding to the campaign’s sophistication, attackers embedded legitimate tracking tools like Sentry.io and Datadog to monitor user interactions. This allowed them to gather metrics such as timestamps, IP addresses, and geolocation data. “These insights enabled attackers to refine their phishing attempts, tailoring future campaigns for greater success,” the report stated.

In some cases, the attackers went beyond phishing. By harvesting telecom credentials, they initiated SIM swapping attacks to intercept SMS-based MFA codes. This technique enabled them to bypass traditional MFA protections and maintain prolonged access to compromised accounts. The report stresses the importance of adopting app-based or hardware-based MFA to mitigate these risks.

EclecticIQ emphasizes the need for robust security measures to counter such sophisticated campaigns. Key recommendations include:

• Enhanced MFA Solutions: Replace SMS-based MFA with app-based or hardware-based alternatives to mitigate SIM-swapping risks.
• Proactive Monitoring: Use advanced detection tools to identify malicious activity on legitimate platforms like Google Docs and Weebly.
• User Education: Train employees to recognize phishing tactics, especially those exploiting trusted platforms.

As EclecticIQ’s report concludes, “This deliberate shift toward leveraging cloud-based collaboration tools as entry points makes detection more challenging, allowing attackers to broaden their scope beyond initial targets.”

Related Posts:

• Phishing Campaign Bypasses MFA to Target Meta Business Accounts, Putting Millions at Risk
• Kaspersky Uncovers 10,000 Cyberattacks: Global Organizations Targeted
• 2FA Bypass and More: Inside ONNX Store, the Phishing Threat to Your Finances
• FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
• Operation FlightNight: Indian Government and Energy Sector Breached in Targeted Cyber Espionage Campaign