In the current digital landscape, threat actors are continuously refining their social engineering tactics to bypass traditional security perimeters.
A recent, highly effective attack chain illustrates this perfectly: a sophisticated phishing and malware campaign leveraging direct messages on platforms like Discord, Microsoft Teams, Slack, Telegram and others to orchestrate contagious Account Takeover (ATO) and credential harvesting attacks.
By exploiting the trust built into our professional and social networks, attackers are tricking users into handing over their credentials and compromising their devices. This campaign also highlights a growing trend in modern phishing infrastructure: the abuse of legitimate cloud platforms and trusted services to evade traditional phishing detection systems.
Why Google Sites Has Become a Powerful Phishing Vector
One reason this phishing attack is so effective is that it exploits legitimate infrastructure hosted on trusted domains.
Threat actors increasingly deploy phishing pages on platforms such as:
- Google Sites
- Vercel
- Webflow
- Notion
- GitHub Pages
These services provide free hosting, valid SSL certificates, and high-reputation domains that easily bypass basic URL filtering and reputation-based defenses.
In this campaign, attackers specifically leverage sites[.]google[.]com. Because the domain belongs to Google, many users incorrectly assume the content itself is trustworthy. This is one of the biggest misconceptions in modern cybersecurity. A trusted hosting provider does not guarantee trusted content, especially when anyone can use it to host their own content.
This tactic is becoming increasingly common in:
- credential harvesting attacks
- OAuth phishing campaigns
- malware delivery operations
- browser fingerprinting infrastructure
- account takeover (ATO) attacks
- malicious collaboration invite scams
The Attack in Action: From Compromised Trust to ATO
To understand the mechanics of this threat, we can analyze a recent campaign targeting decentralized communities and tech professionals.
The attack typically unfolds in three distinct phases.
Phase 1: The Warm-Up (Leveraging Compromised Trust)
The most dangerous aspect of this attack is that the initial outreach rarely comes from an unknown source. Threat actors frequently hijack the accounts of legitimate users—people you may have collaborated with or met at industry events. By operating a stolen account, the attacker weaponizes your pre-existing trust.
Relying on chat history to mimic the compromised user’s tone, the attacker initiates a conversation around a topic of mutual interest. Once rapport is established, they smoothly pivot to collaboration:
If you want, I can send you the workspace invite and you can just look around first.
This is classic social engineering enhanced through trusted-account abuse.
Phase 2: The Invite and the Malicious Link
To add a veneer of authenticity, the attacker often forwards a message containing the invite. This message includes:
- a link
- a workspace owner email
- an access key
The critical element here is the URL itself, which often looks something like:
https://sites[.]google[.]com/view/oauth0/workspace
To an untrained eye, the google[.]com domain implies safety.
However, threat actors are abusing Google Sites — a free, legitimate service that anyone can use to build a webpage — to host custom phishing portals that easily bypass standard domain-reputation filters.
This means that deployments on the sites[.]google[.]com platform should always be treated with caution.
Phase 3: The Phishing Page and Cross-Platform Payloads
Upon clicking the link, the user is directed to a page meticulously designed to replicate a legitimate Google Workspace login screen. The branding, formatting, and credential fields are virtually indistinguishable from the real thing. When the user inputs the provided credentials, they are transmitted directly to the attacker’s backend infrastructure.
However, credential harvesting is only the first stage. This campaign also functions as a cross-platform malware delivery mechanism. The malicious Google Site fingerprints the victim’s browser and dynamically identifies:
- operating system
- browser type
- geolocation
- security tooling
- virtualized environments
The access key often acts as an anti-analysis mechanism, ensuring only intended victims receive the final payload.
If the victim uses macOS, the infrastructure may deliver macOS malware variants such as macSync.
If the victim uses Windows, the phishing infrastructure dynamically serves Windows-compatible payloads instead.
Regardless of operating system, proceeding beyond the phishing stage can result in:
- full device compromise
- credential theft
- browser session hijacking
- wallet theft
- persistent malware installation
- lateral movement into corporate environments
Each compromised victim can then become an attacker as well.
Why These Google Workspace Phishing Attacks Are So Dangerous
This campaign combines several highly effective attack techniques simultaneously:
- trusted-account abuse
- social engineering
- legitimate cloud infrastructure abuse
- credential harvesting
- malware delivery
- browser fingerprinting
- anti-analysis mechanisms
- operating-system-specific payload delivery
That combination makes detection significantly harder. Traditional email security filters are largely irrelevant because the initial lure occurs inside messaging platforms and collaboration tools. Meanwhile, URL reputation systems struggle because the phishing infrastructure lives on legitimate Google-owned domains. This creates a dangerous blind spot for organizations relying solely on conventional security tooling.
The Critical Key Takeaway
The most important rule for navigating these requests is simple:
Never authenticate into corporate or personal platforms via links sent through direct messages, even if the sender is a known contact.
Doing so significantly increases your risk of suffering an Account Takeover (ATO).
⚠️ Do not blindly trust deployments hosted on sites[.]google[.]com. Anybody can create websites there for free.
Authentic Google Workspace invitations are typically generated through automated system emails directly from Google — not manual credentials shared through third-party messaging platforms.
Treat any non-standard login flow with extreme caution. The sender’s account may already be compromised.
A Note on Infrastructure Abuse and Incident Response
Security professionals continue to observe significant abuse involving legitimate hosting infrastructure. Platforms like:
- Google Sites
- Vercel
- Notion
- GitHub Pages
- Webflow
are increasingly weaponized because they inherit trust from highly reputable domains.
This creates operational challenges for:
- security vendors
- registrars
- takedown teams
- phishing detection systems
Pages hosted on legitimate infrastructure often remain active longer than traditional phishing domains because they do not immediately trigger automated blocking systems.
As a result, users themselves increasingly become the primary line of defense.
Best Practices to Prevent Google Workspace Invite Phishing Attacks
Verify Invites Systematically
Only accept collaboration or workspace invites received via automated emails from official, trusted domains.
Avoid authenticating through links manually sent in chats or direct messages.
Verify Your Contacts
If a known contact suddenly sends login credentials or asks you to access a collaboration portal, verify through an out-of-band communication channel such as:
- phone calls
- alternative messaging apps
- voice verification
Compromised accounts are commonly used to spread these attacks.
Recognize Common Phishing Patterns
Being handed a username and password to enter into an unfamiliar login page is a major phishing red flag.
Legitimate enterprise collaboration flows rarely work this way.
Be Cautious With Downloads
Modern phishing kits dynamically deliver malware tailored to the victim’s operating system.
A phishing site may appear harmless while silently deploying malware in the background.
Enforce Strong Authentication
Enable strong MFA across all critical services.
Prefer:
- FIDO2 hardware keys
- authenticator applications
Avoid relying solely on SMS-based MFA whenever possible.
Monitor for Infrastructure Abuse
Organizations should actively monitor for:
- impersonation domains
- malicious Google Sites deployments
- phishing infrastructure
- cloned login portals
- suspicious collaboration invitations
Solutions like PhishFort Digital Threat Protection help identify phishing campaigns, impersonation infrastructure, and malicious deployments before they scale into broader account takeover operations.
Final Thoughts
Modern phishing attacks no longer rely on obviously malicious domains or poorly written emails. Threat actors now weaponize:
- trusted platforms
- legitimate infrastructure
- compromised social relationships
- collaboration workflows
The result is a new generation of highly convincing phishing campaigns capable of bypassing both technical defenses and human intuition.
Stay skeptical of unsolicited collaboration requests and verify everything, especially when the login page lives on a seemingly trustworthy domain.
