Threat actors abuse Google AMP for evasive phishing attacks

Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees.

Google AMP is an open-source HTML framework co-developed by Google and 30 partners to make web content load faster on mobile devices.

AMP pages are hosted on Google’s servers, where content is simplified and some of the heavier media elements are pre-loaded for faster delivery.

The idea behind using Google AMP URLs embedded in phishing emails is to make sure that email protection technology does not flag messages as malicious or suspicious due to Google’s good reputation.

The AMP URLs trigger a redirection to a malicious phishing site, and this additional step also adds an analysis-disrupting layer.

Data from anti-phishing protection company Cofense shows that the volume of phishing attacks employing AMP spiked spiked significantly towards mid-July, suggesting that threat actors may be adopting the method.

“Out of all the Google AMP URLs we have observed, approximately 77% were hosted on the domain google.com, and 23% were hosted on the domain google.co.uk,” explains Cofense in the report.

Although the “google.com/amp/s/” path is common in all cases, blocking this would also impact all legitimate cases of using Google AMP. However, flagging them may be the most appropriate action, to at least alert recipients to be wary of potentially malicious redirections.

Extra stealth

Cofense says the phishing actors who abuse the Google AMP service also employ a range of additional techniques that collectively help evade detection and increase their success rate.

For example, in many cases observed by Cofense, the threat actors used image-based HTML emails instead of a traditional text body. This is to confuse text scanners that look for common phishing terms in the message content.

In another example, the attackers used an extra redirection step, abusing a Microsoft.com URL to take the victim to a Google AMP domain and eventually to the actual phishing site.

Finally, attackers employed Cloudflare’s CAPTCHA service to thwart automated analysis of the phishing pages by security bots, preventing the crawlers from reaching them.

All in all, phishing actors today employ multiple detection-evading methods that make it increasingly difficult for targets and security tools to catch the threats and block them.