Connect with us

Hi, what are you looking for?



Google AMP Abused in Phishing Attacks Aimed at Enterprise Users

Threat actors are using Google AMP URLs in phishing campaigns as a new detection evasion tactic.

Threat actors have been observed abusing Google Accelerated Mobile Pages (AMP) in phishing campaigns, as a new tactic to evade detection, email protection firm Cofense reports.

An open source HTML framework meant to improve the performance of mobile pages, Google AMP enables developers to create websites optimized for both desktop and mobile devices.

The phishing attacks, Cofense explains, have been abusing a Google AMP feature that allows site builders to host newly created pages on Google AMP URLs. Furthermore, the attackers are using Google Analytics to track the interaction with their pages.

Starting May 2023, Cofense has seen phishing emails containing Google AMP URLs leading to websites hosted on, allowing attackers to circumvent defenses. Starting June 15, however, the attackers switched to using Most of the phishing pages (77%) were hosted on

Aimed at stealing the login credentials of enterprise employees, the phishing attacks have proved successful at bypassing secure email gateways and reaching their intended targets.

“Phishing campaigns abusing the Google AMP services picked up during May and haven’t left the threat landscape since. Overall, we have seen the volume oscillate drastically throughout recent weeks, with the week of May 29th and July 10th showing new heights for the tactic,” Cofense notes.

As part of the observed attacks, the threat actors combined the use of Google AMP URLs with tried-and-true tactics, techniques, and procedures (TTPs), including the use of image-based phishing emails, where an HTML image replaces the email body, to prevent detection.

Advertisement. Scroll to continue reading.

Additionally, the attackers were seen employing URL redirection (hosting the redirection to the Google AMP domain on, another trusted domain), and abusing Cloudflare’s CAPTCHA service (the CAPTCHA often comes before the malicious URL, evading email security).

“The Google AMP phishing campaigns have proven to successfully reach their intended targets. This is likely due to the trusted status and legitimacy of the Google domains that each URL is hosted on,” Cofense notes.

Related: Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign

Related: New ‘Greatness’ Phishing-as-a-Service Targets Microsoft 365 Accounts

Related: Zendesk Hacked After Employees Fall for Phishing Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...