Google AMP Exploited in Phishing Attacks Targeting Enterprise Users

[post-views]
August 04, 2023 · 3 min read
Google AMP Exploited in Phishing Attacks Targeting Enterprise Users

Phishing remains one of the most prevalent attacker techniques as a response to a continuous surge in phishing campaigns across the globe, which creates a growing demand for detection content against related threats. Cyber defenders have observed the latest malicious campaigns leveraging the phishing attack vector, in which hackers exploit Google Accelerated Mobile Pages (AMP) and apply a novel adversary tactic to evade detection. 

Detect Phishing Attacks Abusing Google AMP

To streamline threat research and enable defenders to identify attacks leveraging new phishing tactics, SOC Prime Platform for collective cyber defense aggregates a batch of relevant detection content while empowering users with innovative tooling to enhance threat detection coverage, visibility, and engineering capacity.

Possible Google AMP Abusing for Phishing (via proxy)

A dedicated Sigma rule above is aimed at detecting possible phishing attacks abusing Google AMP. The detection is compatible with 17 SIEM, EDR, XDR, and Data Lake solutions addressing Initial Access tactic, with Spearphishing Link (T1566.002) as a corresponding sub-technique.

To outspeed the attackers and keep up with the avalanche of phishing threats, SOC Prime provides a collection of curated detection algorithms helping organizations to risk-optimize their cybersecurity posture. By hitting the Explore Detections button below, security enthusiasts can access a broad range of detections aimed at detecting malicious activity associated with phishing. For streamlined threat investigation, teams can also drill down to relevant metadata, including ATT&CK and CTI references.

Explore Detections

Phishing Attack Analysis Abusing Google AMP

Novel phishing campaigns are causing a stir in the cyber threat arena. Attackers leverage a new phishing tactic by abusing a popular HTML framework called Google AMP and targeting enterprise users. In these adversary campaigns, hackers exploit Google AMP URLs for detection evasion and leverage a wide range of other attacker TTPs to bypass email security protection, including the exploitation of trusted domains, email redirection, the abuse of image-based phishing emails, and more.  

The research by Cofense uncovered that phishing attacks exploiting Google AMP URLs emerged in the cyber threat landscape in May 2023. In the latest phishing campaigns, adversaries take advantage of the websites hosted on Google.com or Google.co.uk, which are considered trusted domains enabling attackers to lure more users and fulfill their malicious intentions. Threat actors are mainly targeting their offensive operations at enterprise employees striving to steal their login credentials and making successful attempts at evading secure email gateways. 

Rely on SOC Prime to be fully equipped with detection content against TTP used in the ongoing cyber attacks along with innovative tooling to empower active threat-informed defense. Register for the SOC Prime Platform to boost youe cyber defense capabilties while ultimately maximizing the value of security investments and freeing up valuable time for SecOps teams.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts