Proofpoint researchers have identified a vulnerability that allows attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim's computer.
Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded.
Proofpoint also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organisations mitigated these threats before they reach end users, whenever possible.
Proofpoint's exploit begun by uploading malicious files or malware executables on Google Drive, to which threat actors could create a public link.
Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware.
While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect.
In this approach, because recipients received a legitimate link to edit a Google Doc -- as many people do on a daily basis -- the old rules of email hygiene apply here as much as ever.
Google has imposed new restrictions on simple triggers to block phishing and malware distribution attempts that are triggered by opening a doc.
However, recipients also should exercise caution clicking even links to Google Docs unless they know or can verify the sender.
Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible.
Since Proofpoint disclosed this vulnerability to Google, the company has added specific restrictions on certain Apps Script events that could potentially be abused.
Google now blocks both installable triggers -- customisable events that cause certain events to occur automatically -- and simple triggers like onOpen and onEdit from presenting custom interfaces in Docs editors in another user's session.
However, the proof of concept Proofpoint provided to Google and recently presented at the DeepSec Conference demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years.
Moreover, the limited number of defensive tools available to organisations and individuals against this type of threat makes it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.
SaaS platforms remain a “Wild West” for threat actors and defenders alike.
New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms.
At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms.
This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad”: making use of legitimate features for malicious purposes.
With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads.
The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools.
Organisations will need to apply a combination of SaaS application security, end-user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.