Threat actors have been observed abusing Google Accelerated Mobile Pages (AMP) in phishing campaigns, as a new tactic to evade detection, email protection firm Cofense reports.
An open source HTML framework meant to improve the performance of mobile pages, Google AMP enables developers to create websites optimized for both desktop and mobile devices.
The phishing attacks, Cofense explains, have been abusing a Google AMP feature that allows site builders to host newly created pages on Google AMP URLs. Furthermore, the attackers are using Google Analytics to track the interaction with their pages.
Starting May 2023, Cofense has seen phishing emails containing Google AMP URLs leading to websites hosted on Google.com, allowing attackers to circumvent defenses. Starting June 15, however, the attackers switched to using Google.co.uk. Most of the phishing pages (77%) were hosted on Google.com.
Aimed at stealing the login credentials of enterprise employees, the phishing attacks have proved successful at bypassing secure email gateways and reaching their intended targets.
“Phishing campaigns abusing the Google AMP services picked up during May and haven’t left the threat landscape since. Overall, we have seen the volume oscillate drastically throughout recent weeks, with the week of May 29th and July 10th showing new heights for the tactic,” Cofense notes.
As part of the observed attacks, the threat actors combined the use of Google AMP URLs with tried-and-true tactics, techniques, and procedures (TTPs), including the use of image-based phishing emails, where an HTML image replaces the email body, to prevent detection.
Additionally, the attackers were seen employing URL redirection (hosting the redirection to the Google AMP domain on Microsoft.com, another trusted domain), and abusing Cloudflare’s CAPTCHA service (the CAPTCHA often comes before the malicious URL, evading email security).
“The Google AMP phishing campaigns have proven to successfully reach their intended targets. This is likely due to the trusted status and legitimacy of the Google domains that each URL is hosted on,” Cofense notes.
Related: Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
Related: New ‘Greatness’ Phishing-as-a-Service Targets Microsoft 365 Accounts
Related: Zendesk Hacked After Employees Fall for Phishing Attack

More from Ionut Arghire
- Silverfort Open Sources Lateral Movement Detection Tool
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
Latest News
- Silverfort Open Sources Lateral Movement Detection Tool
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
