Phishing with Google Forms, Firebase and Docs: Detection and prevention

Howard Poston
February 22, 2021 by
Howard Poston

The COVID-19 pandemic spurred a massive shift toward telework as companies tried to both stay operational and safe. One of the biggest impacts of this shift was an increased reliance on cloud-based services for business, such as Google’s GSuite.

While Google-based phishing attacks have been around for years, the pandemic provided a perfect opportunity for cybercriminals to double down on these attacks. As a result, a number of phishing attacks have been detected in recent months that leverage trusted Google services, including Google Sites, Firebase, Docs and Forms.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Google Sites and Google Firebase host “trusted” phishing pages

Many organizations’ anti-phishing solutions and employee cybersecurity awareness training focus on URL recognition. The basis of this strategy is that, if the URL originates from a trusted domain (like Google), then the site is probably legitimate.

This approach to phishing detection falls apart with services like Google Sites and Google Firebase. On these platforms, organizations are able to host their own webpages or develop mobile and web applications.

Content developed using Sites and Firebase are hosted by Google, meaning that they have a Google URL. This means that users looking to verify if a page is legitimate see the Google domain and trust the site.

Cybercriminals are taking advantage of this fact for their phishing sites. By placing these sites on Google domains, which are included in many organizations’ allow lists for security tools, they bypass email scanning. As a result, the probability of malicious emails containing links to these sites reaching the user’s inbox increases dramatically, potentially exposing an organization to an expensive and damaging cybersecurity incident.

Google Docs and Google Forms collect login information

Google Docs and Google Forms are both designed to enable an organization to share and collect information. Google Docs allow easy document sharing and Google Forms allows companies to run surveys or perform other data collection via Google-hosted forms.

The issue with Google Docs and Google forms is that their trusted status means that they provide a number of different advantages to phishers:

  • Malicious link delivery: Some email scanning solutions will not inspect a linked document for phishing links. This enables a seemingly-innocuous email to deliver malicious content.
  • Trusted domain: All Google Docs and Forms are hosted on a Google domain. This domain is often allow-listed by corporate security solutions and trusted by their employees.
  • Plausible forms: Google Forms is a widely-used service, and many people have received at least one legitimate survey or questionnaire hosted on Forms. This means that forms linked from phishing emails claiming to request additional information are likely to be trusted.
  • Open sharing: Google provides the ability to impose granular sharing settings on Google Docs and Drive by inviting participants via email; however, this can be inconvenient. As a result, many shared document repositories are publicly available, making it possible for cybercriminals to insert phishing documents into legitimate corporate Drives.
  • Drive collaboration: Google Drive has a collaboration feature that allows developers to send push notifications about shared documents. Cybercriminals have used this to send notifications about shared malicious documents from the Google no-reply email address.

Like the Google Sites and Firebase scams, all of these attacks based on Drive and Forms benefit from Google’s trusted domain and brand.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Protecting against Google-based phishing

Phishing attacks taking advantage of Google services are like any other phishing attack. They use the same tools and techniques, but they are more effective because they take advantage of Google’s trusted domain and corporate brand.

As a result, the same methods for traditional phishing detection and prevention also apply to Google-based phishing:

  • Employee education: Employee cybersecurity awareness training should focus on detecting if an email or document “looks fishy” rather than just the URL. Cybersecurity best practices about not trusting links and attachments and reporting any suspicious emails work equally well for Google-based content.
  • Multi-factor authentication: Employee credentials are a common target of these phishing attacks. Deploying multi-factor authentication (MFA) solutions can help to mitigate the impacts of a phishing attack.
  • Deep email inspection: Many Google-based scams take advantage of the fact that some email scanning solutions see the Google link and look no further. Whether email or browser-based, companies should have solutions in place to detect the phishing content hidden behind the Google domain.

Phishing attacks have always been an issue, and the COVID-19 pandemic has only exacerbated the problem. Instilling cybersecurity best practices throughout the organization is essential to getting a handle on the problem.



Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns, Threatpost

Phishing Campaign Uses Google Drive to Bypass Email Gateways, BleepingComputer

Scammers Abuse Google Drive to Send Malicious Links, Threatpost

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at