Google Looker Studio is being abused by bad actors to host intermediate phishing webpages.

“Looking” for Documents? .. “Look” No Further: A New Trend in Abusing Google Looker Studio for Phishing

Key Findings:

  • Looker Studio is being used to host intermediate phishing pages.
  • Bad actors are abusing Looker Studio similarly to their abuse of other document hosting platforms.
  • Phishers can use Google’s email authority to send phishing emails with a malicious report.

A New Trend: From Crypto Scams to Document Phishing

Another reputable and trusted company’s platform is being abused for phishing purposes. In September 2023, Google’s Looker Studio platform had been reported by multiple email security vendors (Check Point; KnowBe4) and security news reporters (Dark Reading) as being used to host cryptocurrency scams and crypto-related phishing. 

However, in late March, Keep Aware discovered an unreported trend: Google’s Looker Studio platform is being actively abused by bad actors to host intermediate phishing pages designed to look like a user has a message or document to view.

Before delving into Keep Aware’s research or findings, let’s first understand what Google’s Looker Studio is and why it’s an attractive target for malicious actors.

What is Google Looker Studio?

Formerly referred to as Google Data Studio, Google describes Looker Studio as a “tool that turns your data into informative, easy to read, easy to share, and fully customizable dashboards and reports”. And, though it has some paid features, it is freely available for anyone with a Google account.

Looker Studio enables Google account holders to connect data sources without coding, create custom dashboards and visualizations, and collaborate on these items (also referred to as “reports”) with others. 

Once a report is shared, it is readily accessible on Google’s subdomain, Links to these reports will look like either of the below formats:<alphanumeric-string><UUID>/page/<alphanumeric-string>

However, benign users are not the only ones taking advantage of these free capabilities. Keep Aware has observed a new trend: Bad actors are hosting intermediate phishing pages – with a ‘view content’ theme – by abusing Looker Studio’s reporting and sharing features.

Keep Aware Traced Microsoft Phishing to a Looker Studio Report

In late March, Keep Aware prevented a user from falling victim to a Microsoft phishing page. Keep Aware’s Threat Research division investigated the alert and discovered that a Looker Studio report – hosted on Google’s subdomain and shown below – was used as an intermediate step to the Microsoft phishing page.

Images. Left image: Screenshot of the malintent Looker Studio report, which includes a hyperlinked button that leads a victim to a Microsoft phishing page. Right image: Screenshot of the Microsoft phishing page.

Additional screenshots of malintent Looker Studio reports are provided in the following section.

Other Examples: View Documents, Proposals, Messages

Keep Aware’s research reveals that threat actors are using this platform similarly to how they are abusing Canva designs and Microsoft Dynamics 365 marketing forms – by creating a page, hosted on a reputable domain from a well-known and trusted third party, that prompts a user to view content by first clicking on an object hyperlinked to a malicious webpage. 

Table. Screenshots of various malintent Looker Studio reports that prompt a victim to click on an object that is hyperlinked to a malicious domain.

How does a bad actor entice a victim to view these reports?

Phishing Emails: Leveraging Google’s Authority 

Looker Studio offers the free capability to send a report on the user’s behalf via email. In other words, a bad actor can send victims phishing emails that are sent from Google’s domain. 

From: “<GoogleUser> (via Looker Studio)” <[email protected]>
Text. The “From” email header field will look like the above when a victim receives an email from Looker Studio. Note that “<GoogleUser>” should be replaced with the attacker’s Google account name.

What does this mean? Because attackers are able to piggyback off of Google’s domain, emails with these malicious Looker Studio reports will pass basic email authentication controls (SPF, DKIM) and pass Google’s DMARC email policy. Additionally, email security solutions will look at these headers and likely label the receiving email as not phishing. Lastly, from a human perspective, end users will see the content is from – and leads to – Google’s domain and thus will likely trust the email and its links.

To summarize, attackers are leveraging Google’s authority to bypass email security controls and successfully send phishing emails.

Conclusion, Recommendations

Google’s Looker Studio, abused last year for cryptocurrency scams, is now being used to host and to deliver other phishing attacks. Because this tool is free to use, is easy to use, and bypasses traditional email security controls, Keep Aware’s research division warns that organizations will likely encounter an increase in phishing emails from bad actors abusing this platform.

To protect your organization from phishing attacks that leverage a trusted domain, verify that employees use caution when clicking on links from unknown senders and in unsolicited emails. Additionally, ensure your technical security controls have the depth of visibility to detect phishing webpages that are hosted on reputable domains. 

Talk to the Keep Aware team to understand how you can protect and educate users from these and other intermediate phishing pages.