publishing date icon
December 18, 2019
read time icon
5 min. read

An Advanced Phishing Attack Using Google Subdomain

Post hero image

Table of contents

Have you always thought that phishing attacks are not a real problem? Do you still believe that your organization is safe from phishing? You may change your mind by the time you finish reading this article about an advanced phishing attack and watching the video.We’ll show you a more advanced technique that might be challenging to spot even for someone who exercises safe email habits.

At Hoxhunt, we get to see a lot of real-life phishing attacks. Most of the time, these are weak attempts at stealing credentials using obvious domains that are typically easy to spot.Perhaps you’ve come across bulk phishing, which is usually executed poorly. These phishing emails are generally easier to recognize. You notice a lot of typos, weird sentence structures and grammar, poor quality images, and phishing pages hosted in clearly shady phishing domains. If this is your experience with phishing, you might not take the dangers of phishing threats seriously.

Using the example below, we want to try to convince you that anybody could fall for an advanced phishing attack.In this and the next episode, we’ll show you two different advanced phishing attacks committed in the Google environment. We tried to simulate these attacks to be as real as possible. You’ll see that no previous compromise is needed to commit these attacks; they could be remotely executed by anyone.

How Is Google’s Subdomain Used for Phishing?  

[Please watch the video first before you read the explanation. Once you have watched it, read the description and go back to the video.]

The attack illustrated in the video above begins with a very basic email with compliments. There is also a link to a shared PDF that supposedly contains a Google Play gift card.nAs we are suspicious around unsolicited emails, we usually check where the link in the email takes us by hovering over it.In the email, you see that the link takes us to, which is owned by Google. The link even includes the name of the pdf file that is shared with us.The site we end up in is indeed We are then asked to complete additional verification before we receive the gift card.

The form includes my (the author’s) name, my email address, and all the proper animations. At that point, you are asked to type in your password. Once we type in our password, we proceed to get the gift card we were promised. However, on the left side, we can see a console from an attacker-controlled server waiting for passwords to be entered by unfortunate victims. Once the server receives the password, it redirects the victim to a Google Drive page. On this page, we can find a forged PDF to buy some more time for the attacker and keep the victim clueless.You might have known that Google does not entirely maintain the content in At the same time, anybody with a Google account can host almost anything in there.

For security reasons, JavaScript does not work in, but all the attacker needs to do is some basic HTML and CSS support to be able to fabricate a Google login form.This is something you, as a potential target, need to be aware of to be able to detect an advanced phishing attack like this. Without being able to recognize a possible threat, you won’t be able to protect your information from phishing attacks.Unfortunately, basic knowledge of validating the domain to determine if Google owns it or not does not apply here. Before you start typing your password, stop for a moment and think if an extra validation, e.g., requiring your password, is necessary to view the PDF.

Advanced phishing attacks are advancing fast, and anyone can be tricked.

This is a perfect example of an attacker misusing a service in a trusted subdomain like Phishing techniques are advancing incredibly fast. New attack types are emerging all the time. Using a Google subdomain, even the most phishing-trained people could be tricked.In the next article from these series, we will show you a more sophisticated attack that starts with a phishing email, exploits a bug in G Suite, and finally ends up with the victim unknowingly installing malware.

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.