Skip to content

Hackers are now deploying Google Forms for BazarCall phishing

  • by
  • 2 min read

Cybercriminals now use Google Forms for sophisticated phishing attacks known as BazarCall or BazaCall. This approach makes detection more challenging for traditional security tools.

Cybersecurity experts from Abnormal Security firm detailed one such BazarCall attack. According to the researchers, these attacks gained notoriety in 2020 and typically commence with a phishing email impersonating a recognisable brand, often portraying a false payment notification or subscription confirmation. The email urges recipients to call a provided number to dispute charges or cancel a subscription, creating a sense of urgency.

During the ensuing call, attackers manipulate victims into installing software, thereby gaining access to organisational assets.

The latest BazarCall variant observed by the researchers introduces a new layer of sophistication. The attackers utilise Google Forms to craft a convincing narrative. The process involves creating a form with details about fake transactions, including an invoice number, payment methods, and product/service information. The crucial step is activating the ‘response receipt’ option, which sends a form copy to the entered email address.

A sample malicious Google Forms used by the threat actors. | Source: Abnormal Security

The attacker then sends an invitation to complete the form to themselves, clicks the Fill Out Form button upon receipt, enters the target’s email address in the designated field, and submits the form. As the response receipt option is enabled, the target receives a copy of the form designated to mimic a payment confirmation for Norton Antivirus software.

As per the researchers, using Google Forms adds a layer of authenticity to the attack. As Google Forms is a reputed service, it bypasses traditional cybersecurity tools easily.

Detecting this BazarCall variant proves challenging for the experts as there are no clear indicators of compromise, and the links in the email are hosted on a reputable domain. Additionally, the dynamic nature of Google Forms URLs evades traditional security measures reliant on static analysis and signature-based detection.

Experts suggest using the latest machine-learning tools to identify this email attack.

In the News: Threat actors are using OAuth tools for diverse attacks: Research

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: