Fake Office 365 login phishing bypasses security via Google Ads

August 6, 2020
office 365 login fake page google ads bypasses security

A newly discovered campaign has been unraveled again, targeting the famous Microsoft Office 365 accounts. In the recent report of Cybersecurity experts, they unveiled the use of Google Ads and other related Google applications and Microsoft Platform such as Office 365 login pages as their current modus operandi tool for these adversaries to continue their malicious activity. Applications such as Google Takeout for ease of data transfer, Google Docs to inject or embed their malware and spyware, MS Sharepoint in compromising network information system, and Google Drive for temporary storage.

According to our analysis, the modus use a spear-phishing email penetration to their targeted organization containing subjects, which are usually the current events such as the ongoing pandemic of Covid19 or necessary app updates. They send out multiple emails to targeted employees. With the help of the platform as mentioned above, they were able to bypass the imposed security of any organization as the secure email gateways (SEGs) treat it as trusted emails. Since most security models whitelisted Google and Microsoft on their threat list, adversaries able to use this vulnerability to penetrate the organization’s security and business email compromise (BEC) can deliver on the targeted individual. Furthermore, the ingenuity used in crafting the email from the subject to its content is highly sophisticated by which victims are lured to open the contents and perform given instruction without knowing that they have just been baited. The contents contain links wherein they have been redirected to the adversaries-controlled domain mimicry legit websites such as Microsoft to prevent victims from being suspicious that they were being attacked. Lastly, they will be routed to a page containing their company logo and fake Office 365 login, wherein they are instructed to enter their credentials. These credentials are being captured and delivered to the perpetrators using multi-layered transport to avoid being detected of its end destination. Once hackers own this information, the worst scenario to expect is money loss.

There are different modus these perpetrators have used in the past, which experts believed that they are still being repurposed with the aid of the current events and important system updates to work with their devious scheme. They have mentioned a recent attack with Bank of America, wherein the attackers showcased their lethal plan that we’re able to bypass the security of DKIM, DMARC, and SPF multi-layered validation protocol.

Generally, this report was released for public knowledge and welfare.


With the uprising statistics of cybercrime, it is believed that this report is very essential to give an update on the current trends, especially when it talks about the Microsoft Office 365 login platform.


Be it known that this application is widely used by many businesses and government sectors for its complete package functionality and mobility. Exposing such vulnerabilities is the key to mitigate or prevent these adversaries from doing their scheming onto the expense of the company causing significant money loss and worst reputation damage. As the experts say, ‘think before you click,’ or instead of staying vigilant and secure people’s awareness is still the basis to avoid these unfavorable circumstances.

About the author

Leave a Reply