How a Sophisticated Credential Phishing Email Bypassed Google Workspace Filters

Written by Kalpesh Mantri, Principal Research Engineer | Dec 20, 2024 7:10:41 PM

Phishing attacks continue to evolve in complexity, leveraging tactics to bypass even advanced email security solutions like Google Workspace (G-Suite) filters. In one of our deployments, one such email targeted an executive, claiming to be from a "Webmail Administrator,” and was detected by Inception Cyber NACE. The email threatened account suspension due to "violations" and urged the recipient to click a link to "validate" their account.

This blog will offer a detailed analysis of the attack, showcasing the evasion techniques employed by the threat actor to bypass traditional technologies. It will then delve into how our NACE platform successfully identified and flagged the attack as malicious.

Credential Phishing of G-Suite Customers

As described in the introduction, we detected a phishing email that bypassed G-Suite workspace filters. This email had a sense of urgency and asked the recipient to validate the e-mail account by clicking on the URL in the email body.

Figure 1: Phishing Email

 

In this attack, clicking on the “Click here to validate your e-mail account” button directs the user to a phishing page. When hovering over the button, it reveals a Cloudflare Workers URL, which serves as an intermediary redirect to the final phishing site. Cloudflare Workers is a serverless platform that allows developers to run JavaScript code on Cloudflare's edge network, improving web performance and reducing latency. While this platform is designed to enhance security and efficiency, attackers have found ways to misuse it. They leverage Cloudflare Workers to create hidden redirects, host phishing pages, and obfuscate malicious URLs, thereby bypassing URL filtering and email security controls.

 

Figure 2: Phishing page obfuscation

Analyzing the phishing page shows it to be completely obfuscated using document.write() and unescape() functions. We decoded the html and went ahead to explore entire phishing flow.

Figure 3: Credential Phishing Attack Flow

In this attack flow, Cloudflare Workers was used to create a deceptive “webmail continue” page, which mimicked legitimate security prompts seen on trusted websites. This tactic creates a false sense of legitimacy, encouraging victims to enter their credentials or other sensitive information. By exploiting familiar-looking security workflows, attackers manipulate users into believing the process is authentic. This social engineering approach increases the likelihood of victims falling for the scam and unknowingly surrendering their credentials, personal identifiable information (PII), and other sensitive data to attackers.

Once the user enters his credentials and clicks on the “Log in” button, the credentials are passed to the attackers’ page hosted on a compromised server.

https[:]//informator[.]com[.]mk/controllers/mod/statistics/canel/module2/cc[.]php

IP: 135.181.213.52:443

 

Credentials are passed in clear text format (as seen in attack flow). Once credentials are saved, the user gets redirected to a Webmail Success page.

—------------------------------------------------------------------------------------------------------------------------------------------------------

How Did It Bypass Google Workspace (G-Suite) Filters?

Google Workspace employs AI and multi-layered analysis to detect and block phishing attempts. However, this email successfully bypassed those defenses.

1] SPF, DKIM, and DMARC Pass:
  • SPF Pass: The IP address 23.83.223.32 was authorized to send emails on behalf of wmclscanserver.com.
  • DKIM Pass: The email was signed using the DKIM selector hostingermail-a for wmclscanserver.com, and the signature was valid.
  • DMARC Pass: The DMARC policy of wmclscanserver.com is set to p=none, which means even if SPF or DKIM fails, the email will still be accepted.

 

The email contained proper ARC signatures, DKIM, and DMARC, and the message had a valid HTML structure. Google prioritizes these email authentication mechanisms. Since SPF, DKIM, and DMARC all passed, Google's security controls likely treated the email as legitimate.

 

2] Use of Trusted Relay (MailChannels):

The email claimed to be from administrator@wmclscanserver.com, but deeper analysis shows the actual email path:

  • Received From: catfish.cherry.relay.mailchannels.net (IP: 23.83.223.32) [malicious]
  • Relay Point: nl-srv-smtpout1.hostinger.io (IP: 145.14.150.87)

The attacker used these intermediary services to inject the email into Google's infrastructure. The email was routed through relay.mailchannels.net, a legitimate cloud-based email relay service.

 

 

The use of relay.mailchannels.net as a sender added another layer of legitimacy. MailChannels is widely used for email delivery, and its IP reputation is strong and helps bypass spam filters.

3] Use of Cloudflare Workers for URL Cloaking:

workers.dev is associated with Cloudflare Workers, a legitimate service that allows users to run serverless scripts. Attackers frequently exploit it to hide phishing URLs.

 

https[:]//wbxm432cji460cplfpoi23498d.murphy2905[.]workers[.]dev/

 

Attackers used a Cloudflare Workers URL instead of a raw malicious URL. Since workers.dev is widely trusted, Google's URL reputation engine did not flag it as dangerous.

 

4] Legit looking Sender Domain:

The sender’s email administrator@wmclscanserver.com appears legitimate. Since it’s not a free email service (like Gmail or Yahoo), Google's spam filters may not have flagged it as suspicious.

—------------------------------------------------------------------------------------------------------------------------------------------------------

NACETM Detection Approach:

Figure 4: NACE semantic based approach

NACE leveraged Generative and Predictive AI for Semantic and Thematic Analysis to derive intent from body and headers and leverages intent along with the auxiliary information from URL  as a feature set in expert system to detect highly evasive Phishing URL, eliminating reliance on phishing pages or final payloads.

Some of the semantic features extracted by AI models in NACE to understand intent and serve as a feature set for decision-making include:

  • Fraudulent Language: The email uses urgent and threatening language to manipulate the recipient and perform an action by clicking on a url:
    • "Your account will be deleted" – Notify the recipient that the account is at risk. One of the techniques of phishing mail to grab attention.
    • “You are urgently required to validate your email” – A scare tactic designed to create a sense of urgency.
    • "Failure to validate... will lead to permanent deactivation" – Strong language intended to provoke immediate action.
    • “Click here to validate” – Presence of Call to action URL in the email body.
  • URL Auxiliary Information: URL information provides some details about it like
    • URL is associated with Cloudflare Workers, a legitimate service that allows users to run serverless scripts. Attackers frequently exploit it to hide phishing URLs.
    • URL has deeply nested sub-domains. The subdomain wbxm432cji460cplfpoi23498d is designed to look random, making it difficult to detect.
  • Suspicious Sender: The email was a first-email from a non-popular domain to the recipient.

In this instance, NACE successfully isolated and classified the phishing email as “Credential Phishing.” The system achieved this by leveraging Generative and Predictive AI to  the extraction of critical features and their contextual relationships, allowing NACE to detect sophisticated phishing attempts, even when traditional technologies relying on payload inspection or final-page analysis would fail. 

At the time of writing the blog only 3 out of 96 AV vendors are classifying this URL as phishing.

—------------------------------------------------------------------------------------------------------------------------------------------------------

Conclusion:

The goal of the attacker was to steal the recipient's credentials via:

  • Clicking the link: The recipient clicks on the "validate your e-mail account" link.
  • Credential Harvesting: The link leads to a fake login page (hosted via Cloudflare Workers) that asks for the user's email and password.
  • Account Takeover: Once the user enters their credentials, the attacker gains full access to their email, and typically full G-Suite, account.
  • Potential Next Steps: Attackers may use the compromised account to:
    • Steal sensitive information.
    • Use the email account to send further phishing emails.
    • Exploit the account for internal access to an organization’s resources.

This phishing email demonstrates how attackers can cleverly exploit legitimate services to bypass even sophisticated email security like Google Workspace filters. By using SPF, DKIM, and DMARC authentication, leveraging Cloudflare Workers for URL masking, and exploiting trusted MailChannels relays, attackers were able to land the phishing email directly into the victim’s inbox. NACE has been designed to solve the problem of detecting and preventing such current evasive URLs, at the inception stage, by learning from the semantic and thematic structures embedded in emails, rather than relying solely on the malicious payload, which is the root cause of evasion of the current technologies.

Stay vigilant, stay secure.

IOC:

https[:]//wbxm432cji460cplfpoi23498d.murphy2905.workers[.]dev/

https[:]//w1p5ffwiruvy8735yn98vhiu3yitu2y345.mfm59.workers[.]dev/index[.]htm

https[:]//w4t234vhf98375nv4ihgegwe43523v.mfm59.workers[.]dev/

https[:]//informator.com.mk/controllers/mod/statistics/canel/module2/cc[.]php

 

Received From: catfish.cherry.relay.mailchannels[.]net

IP: 23[.]83[.]223[.]32 [malicious]