chat
expand_more

BazarCall Attack Leverages Google Forms to Increase Perceived Credibility

Explore the intricacies of this BazarCall phishing attack that uses a Google Form for heightened authenticity.
December 13, 2023

If a communication channel or business tool can be utilized for nefarious purposes, cybercriminals will find a way to exploit it—often through social engineering. And as businesses and individuals navigate an increasingly interconnected world, understanding the myriad ways modern attackers can manipulate their targets is crucial.

One particularly sophisticated attack strategy is known as BazarCall or BazaCall (also referred to as call-back phishing). This attack type gained notoriety in 2020 due to its unorthodox method of distributing malware—i.e., manipulating the victims to interact with the attackers through a simple phone call.

In this article, we dissect an especially complex BazarCall attack that incorporated the use of Google Forms to increase the appearance of legitimacy.

About BazarCall Phishing Attacks

BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand. Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.

Also included is a phone number they can contact to dispute the charges or cancel the subscription or service. This scenario creates a false sense of urgency for the recipient, compelling them to call the listed phone number.

Bazar Call Attack Pay Pal Invoice E

Example of a traditional BazarCall/BazaCall attack

During the phone call, the attacker, disguised as customer support, offers to provide instructions to the target on how to stop the impending charge. But since the goal of BazarCall attacks is to gain unauthorized access to an organization’s assets, what the bad actor is actually doing is tricking the recipient into installing malware—exposing the victim’s organization to future attacks.

BazarCall campaigns have involved the impersonation of a dozen different recognizable brands, including streaming services like Netflix, Hulu, and Disney+, online learning platforms like Masterclass, and security subscriptions like McAfee, Norton, and GeekSquad.

Abnormal recently came across a new variant of a BazarCall attack that uses Google Forms in an attempt to elevate the perceived authenticity of the initial malicious emails.

What Makes This Attack Unique

First, the attacker creates a Google Form and adds details about the fake transaction, including an invoice number and date, method of payment, and information about the product or service that was purportedly purchased.

Bazar Call Attack Example Google Form E

Example of Google Form with details similar to those used in the attack

The second step is to enable the response receipt option on the Settings tab. When activated, this feature will send a copy of the completed form to the email address entered into the first field. This is a key element of the attack, and we’ll explain why later in the article.

Bazar Call Attack Google Forms Settings E

Next, the attacker sends the invitation to complete the form to themselves.

Bazar Call Attack Send Form Pop up E

When the invitation arrives, the attacker clicks the Fill Out Form button, which opens the Google Form.

Bazar Call Attack Google Forms Email Invitation E

Then, they enter the target’s email address in the ā€œYour emailā€ field and click Submit. Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software.

Bazar Call Attack Malicious Google Form E

Actual email sent by threat actors as part of BazarCall attack

Because the email is sent directly from Google Forms, the sender address is forms-receipts-noreply@google[.]com, and the sender display name is "Google Forms.ā€ Not only does this contribute to the appearance of legitimacy, it increases the chances of the message being successfully delivered as the email is from a legitimate and trusted domain.

Why This BazarCall Attack Is Difficult to Detect

For several reasons, accurately detecting this email as a potential threat proves challenging for legacy email security tools like secure email gateways (SEGs).

First, there are no clear indicators of compromise, such as a malicious link or harmful attachment. The only links included in the email are hosted on google[.]com, a reputable and trusted domain. Further, Google Forms is a widely used and legitimate service for creating surveys, quizzes, and forms. The emails used in BazarCall attacks originate from a trustworthy source and may appear benign, making it challenging for SEGs to distinguish them from legitimate forms.

Additionally, Google Forms often use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.

Finally, SEGs may struggle to detect malicious intent in emails containing Google Forms links, especially if the behavior appears consistent with normal user interactions with legitimate forms.

Preventing BazarCall Attacks with Behavioral AI

Unlike secure email gateways, AI-native email security solutions apply the latest machine learning capabilities to correctly identify this email as an attack. Using behavioral AI and content analysis, a modern platform detects the impersonation of a brand and attempted phishing and accurately flags the email as malicious. By not just focusing on the sender or the presence of a payload link, an AI-powered email security platform can stop this attack before it reaches end users.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.

Schedule a Demo
BazarCall Attack Leverages Google Forms to Increase Perceived Credibility

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Retail Industry Attack Trends Blog
New research reveals predictable seasonal cybersecurity patterns in retail. Discover when attacks are most prevalent and how to synchronize defenses with threat cycles.
Read More
Engineering Hyper Personalized Security Training pptx 1
Explore how Abnormal AI rapidly engineered AI Phishing Coach, a hyper-personalized training platform, by leveraging GenAI, internal developer tools, and an AI-first build process designed for speed and scale.
Read More
Innovate Summer Update Announcement Blog Cover
Join Abnormal Innovate: Summer Update on July 17 to explore the future of AI-powered email security with bite-sized sessions, expert insights, and exclusive product reveals.
Read More
High Scale Aggregation Cover
At Abnormal AI, detecting malicious behavior at scale means aggregating vast volumes of signals in realtime and batch. This post breaks down how we implemented the Signals DAG across both systems to achieve consistency, speed, and detection accuracy at scale.
Read More
B CISO SAT
Discover how modern CISOs are evolving security awareness training from a compliance checkbox into a strategic, AI-powered program that drives behavior change and builds a security-first culture.
Read More
B Regional VEC BEC Trends Blog
Regional analysis of 1,400+ organizations reveals how geography shapes email security risks. See which regions are most vulnerable to VEC vs BEC.
Read More