Firebase, Google Apps Script Abused in Fresh Phishing Campaigns – Source: www.securityweek.com

Cybersecurity researchers are calling attention to two recently observed phishing campaigns caught abusing the legitimate services Firebase and Google Apps Script to lure unsuspecting users to malicious content.

In mid-May, Trellix said it identified a spear-phishing operation impersonating a Rothschild & Co employee to target financial executives at banks and energy, insurance, and investment organizations in Africa, Canada, Europe, the Middle East, and South Asia.

The malicious emails contained a fake brochure, identified as a webpage hosted on Firebase and hidden behind a math-quiz custom CAPTCHA. Once the challenge is solved, the victim is served a ZIP file that contains a VBS script.

The script was designed to silently install NetBird and OpenSSH on the victim’s system, to create a hidden local-admin account, and to enable RDP, providing the attackers with remote access to the machine.

The multi-stage attack was designed to evade detection from both defensive solutions and individuals alike, and to ensure persistent access to victim machines through the legitimate remote access tool NetBird, potentially with devastating impact, according to Trellix.

Alongside the Trellix repoort, Cofense publicly documented another phishing campaign designed to evade detection through the abuse of Google Apps Script, a legitimate development platform integrated across various products from the tech giant.

Spoofing the legitimate domain of a disability and health equipment provider, the campaign relies on phishing emails designed to create a sense of urgency and mislead the recipient into clicking a fake invoice link that takes them to an invoice page hosted Google Apps Script.

“By hosting the phishing page within Google’s trusted environment, attackers create an illusion of authenticity. This makes it easier to trick recipients into handing over sensitive information,” Cofense said.

The phishing page directs the user to click a ‘preview’ button that triggers a fake login window pop-up, mimicking a legitimate Microsoft login page. The entire setup is hosted on script[.]google[.]com, which is meant to provide users with a sense of trust, Cofense notes.

Details on the two campaigns came to light right after ESET warned of phishing attacks impersonating the popular e-signature firm Docusign. Recipients receive email messages with a spoofed Docusign envelope requesting them to review a document or scan a QR code, which leads them to a fake Microsoft login page.

Related: Legacy Google Service Abused in Phishing Attacks

Related: China-Linked APT41 Exploits Google Calendar to Target Governments

Related: M-Trends 2025: State-Sponsored IT Workers Emerge as Global Threat

Related: Many Malware Campaigns Linked to Proton66 Network