Weaponizing Trust: How Google Docs URL is Used as the Initial Access URL in Phishing
Quick Read:
| Phishing Strategy: | Threat actors are abusing Google Docs Presentations as redirector pages to bypass security filters and lure users to phishing sites hosted behind CAPTCHA gates. This tactic leverages trusted cloud platforms to enhance email delivery and user trust. |
| Objective | The campaign is designed to steal enterprise credentials by impersonating brands like DocuSign, delivering a believable lure that initiates redirection through Google Docs to a final phishing page, often mimicking Microsoft 365 or corporate login portals. |
| Tactics Observed | Authentication Bypass: The phishing email passed SPF, DKIM, and DMARC checks, which allowed it to land in primary inboxes and avoid reputation-based filtering. Cloud Platform Abuse: Uses Google Docs (docs.google.com) as a trusted redirector, evading blocklists, URL detection , sandbox analysis technology due to the benign appearance of Google-hosted content. Multi-Stage Redirection Flow: Email ➜ Google Slides ➜ CAPTCHA ➜ Credential Harvesting Page — designed to defeat static and dynamic analysis at each layer. CAPTCHA Evasion Layer: The phishing flow includes a human verification CAPTCHA, which blocks crawlers, bots, and automated sandboxes from reaching the final payload — increasing longevity and success rate of the campaign. |
| Low Detection Rates: |
The phishing email evaded all 60 antivirus engines on VirusTotal. |
| Deployment | NACETM deployed to analyse emails behind Microsoft 365 Security. |
Abuse of Trust — Google Docs Joins the List
In our ongoing blog series, we've been uncovering how phishing actors are increasingly exploiting trusted platforms and well-known brands to bypass security layers and trick end users. From Microsoft 365 and Adobe to SharePoint and DocuSign, these trusted names are being used as delivery vehicles for deception.
We've consistently highlighted that this abuse of trust is not just a passing trend—it's growing rapidly due to its high success rate in corporate environments, where brand familiarity often overrides caution.
In this blog, we spotlight a new variant of this trusted-abuse model: phishing actors are now leveraging Google Docs Presentations as redirectors, seamlessly integrating them into credential theft chains. These presentation pages act as intermediate lures, redirecting users from legitimate-looking emails to phishing infrastructure while maintaining an air of authenticity.
Anatomy of the Attack: From Inbox to Credential Theft
Our breakdown of this phishing campaign explains how attackers combine social engineering, trusted platforms, and evasion techniques to trick victims.
The Familiar Email Format:
Image: Campaign Email
The campaign begins with a highly convincing DocuSign impersonation email, sent from a domain that passes SPF, DKIM, and DMARC (skillvill[.]com). The subject line creates urgency tied to an organizational context, increasing the chance of user interaction.
Notable detail: A fake internal reply thread is appended to simulate a forwarded email or ongoing conversation — a tactic very commonly seen in BEC invoice scams- to build trust.
Google Docs Presentation: The Trusted Redirector
Clicking the email link opens a Google Docs Presentation hosted on docs.google.com. The page mimics legitimate branding (DocuSign or otherwise) and includes a “View Completed Document” call-to-action button.
Interesting twist: Even though emails are highly custom made for targeted organization; this page is generic and reusable — meaning attackers can leverage the same doc for phishing multiple organizations.
This mirrors earlier abuses of SharePoint/OneDrive redirectors but shifts the vector to Google Slides, which is less commonly scrutinized.
Image: Google Docs phishing redirector
CAPTCHA Gating: Human Filter for Evasion
Before reaching the final phishing page, victims must complete a reCAPTCHA-style challenge. This layer is critical — it filters out bots, scanners, and automated sandbox analysis technologies . Previously seen in high-end threat kits like EvilProxy, CAPTCHA use has now trickled down into mass phishing ops.
Trend insight: CAPTCHA use in phishing has spiked in recent months, especially in campaigns abusing Content Delivery Networks (CDNs) or cloud-hosted redirectors. It drastically lowers detection by email security engines and URL scanners.
Image: Captcha before final landing page
Once the CAPTCHA is completed, the victim is redirected to a realistic-looking login page (Microsoft 365 or enterprise SSO). Here, credentials are harvested silently.
Technical highlight: The page often mimics device login flow, including “Verify your identity” or “Session expired” messages to induce user urgency.
Campaign Effectiveness — Why Does It Work?
| Google Docs Trust Factor | URLs are hosted on Google domains, bypassing most blocklists. |
| Tailored Lure | The email content is customized to the target organization, often using industry-relevant language and branding (e.g., DocuSign, financial notices), which significantly boosts click-through likelihood. |
| CAPTCHA Gating: | Prevents automated scanning and adds perceived legitimacy. |
| Thread Injection | Adds an old/forwarded-looking message to trick users into believing it's part of an existing conversation. |
| Multi-Layer Obfuscation | Every step in the flow is designed to appear legitimate and defeat automated analysis — a sign of evolving phishing infrastructure. |
| SPF, DKIM, and DMARC Alignment | The phishing email passes SPF, DKIM, and DMARC checks, lending further legitimacy and increasing its chances of landing in the primary inbox rather than quarantine or spam. |
NACETM Detection Approach
Neural Analysis and Correlation Engine (NACETM) accurately flagged the email as phishing, with delivery via a Google-hosted redirector, leading to credential harvesting—even though it passed SPF, DKIM, and DMARC and used a popular, legitimate domain.
Image: NACETM Detection
NACETM is designed to detect advanced phishing threats—including those cleverly embedded within trusted services like Google Docs. In this campaign, NACE successfully identified the phishing attack by analyzing semantics and thematic meaning i.e. Intent and its contextual relationship with the SMTP headers, , not just static metadata.
Unlike traditional security filters that focus on sender addresses or domain reputations, NACE starts with semantic understanding—what the email is trying to make the user do.
In this case, NACE’s extracted following features from different section of emails :
|
Header |
auth_spf_pass, auth_dkim_pass, auth_dmarc_pass → passed authentication domain_uses_cdn_service, is_probable_external_email, is_first_email These traits often correlate with first-contact impersonation attempts |
|
Subject |
sense_of_urgency → Suggests urgent action, a common semantic used by threat actors lure |
|
Body |
has_link, has_url_to_view_document, url_to_google_slides domain_is_google_service, domain_is_fshare_service → trusted redirection platforms brand_docusign, file_sharing_semantic, call_to_action_semantic → Highlights a DocuSign impersonation with an intent to lure the user into action |
And, NACE’s AI-Driven Detection Pipeline identified:
|
Semantic Embeddings via Sentence Transformers |
NACE generates embeddings for the full email content, representing its semantic intent (e.g., review document, DocuSign context). |
|
Intent Analysis |
These embeddings are compared to a curated intent repository using cosine similarity, in precisely identifying intent like: Digital document signingRedirects via file-sharing Brand-driven urgency |
|
Auxiliary Feature |
Identified Auxiliary features for decision making: : Known brands (e.g., brand_docusign)Hosting platform (e.g., domain_is_google_service) Presence of call_to_action_semantic, has_url_CTA |
Conclusion
This campaign highlights the current trend of evasive phishing. Hosting the initial Phishing URL on Google Docs, a trusted platform allowed threat actors to bypass traditional URL detection technologies. Incorporating CAPTCHA adds an additional layer of evasion, effectively circumventing dynamic analysis tools such as sandboxes. Once the attack reaches the endpoint, multi-layered evasion techniques combined with social engineering tactics—such as creating a sense of urgency, fake email thread—can compel the user to click on malicious links.
NACETM is built from first principles to detect evasive call-to-action URLs by analyzing the underlying intent and leveraging the contextual relationship between that intent and SMTP headers, rather than relying on the final landing URLs to derive a verdict.
Interested in learning more about NACE™? Our security experts are here to help you stop evasive threats, malicious email, and AI-powered attacks.