We recently encountered a wave of attacks targeting Google G Suite using a technique we named the ‘phishing collage’ which evades different traditional solutions that try to detect zero-day phishing attacks by parsing and analysis of HTML payload.

Attack Analysis

This is a screenshot of the site pretending to be a Google Drive document.

If we take a close look at the HTML page,

we can see it consists of 4 images at the bottom. If you try to search for any of the words like google, office 365, etc, you will find nothing.

Let’s go and click on the login with Office365.

Here, we can see the same pattern of the ‘phishing collage’. If we look at the HTML of the page

We can see a big image around the form, so you won’t find any mentions of Office365, Sign in, or Sign in with Microsoft account.

What Next?

It seems like a very effective phishing technique because we see this trend on the rise. The URL that we analyzed was blacklisted by Google Chrome and Internet Explorer about 24 hours after the launch of the attack.

The issue is that it is very easy to generate new sites with this kind of exact attack and be unnoticed again. This is why we believe AI and Computer Vision are key to mitigating advanced zero-day phishing threats.