BazarCall Attacks Abuse Google Forms to Legitimize Phishing Emails

Cyber Threat Summary:
Email security firm Abnormal uncovered a new wave of BazarCall attacks abusing Google Forms to target users. First documented in 2021, BazarCall is a type of phishing attack that utilizes fake payment/subscription invoices in emails impersonating known brands. In this case, victims are notified that their account has been charged and should contact customer support if they don’t recognize the transaction. Rather than including a link in the email, the actors will leave behind a phone number that the victim can call. In the event that the recipient reaches out, the actor will pretend to be customer support, and trick the victim into installing malware.

Security Officer Comments:
In the latest campaign uncovered by Abnormal, threat actors are creating Google forms with details of a fake transaction including the invoice number, date, payment method, and miscellaneous information about the product or service being impersonated. A copy of the completed form, which at a glance looks like payment confirmation, is sent to the victim. Given that the form is being sent via Google’s servers, this will prevent it from being flagged/blocked by email security tools. What’s more, the email also originates from a Google address (””), adding a sense of legitimacy.

Suggested Correction(s):
Since the use of Google Forms enables actors to bypass email defenses, the best solution should be to train users on these types of attacks. In the event that you receive an email regarding a recent charge for a subscription, it’s best to check with your bank first and contact customer support directly from the official brand’s site for which the payment was made.