I do think sometimes, some of these scammy spammers do have half a braincell – or they just get super lucky. I got this the other day;
And I am a google workspace user, so that seemed kinda relevant (There are fairly simple ways of finding this out so that I can be targeted, but the fact they did that [or may have done that] is impressive.
The sender address and reply-to are laughably fake though;
Unless Google are now recieving reply emails at an address registered with a German rivals email service. I think not.
This isn’t a link Google would use – I highlighted the domain in Bold and that should be google.com or googleservices.com or something like that.
I used an isolated browser and machine to open the link, Nord blocked it but I bypassed that and it took me to a page that was “Loading” but nothing happened. Either it was trying to steal stuff in the background or install malware or something or it is now broken as its been reported.
These Google credential scams are getting more and more common now, so be aware and if you are unsure about anything at all contact me by commenting or email scams@0lly.uk.
Honestly, this one was scary! There were ZERO red flags, apart from the fact I know this email address doesn’t exist. Absolutely EVERYTHING ELSE was 100% convincing.
Fake Google Doc Share Email
So I got this email to my work email, from an account with the same domain as my work. So this looked like a 100% convincing internal document share;
So we had another fake Google email as part of a scam recently, but that had a Googlemail.com email as the sender, and a few other things that indicated it was dodgy – this one didnt. This one was VERY professionally put together.
There is nothing there (apart from the fact I know finance@mydomain.url doesn’t exist) to indicate this is not a legitimate email.
Breaking Down the Fake Google Doc Share Scam
So, the email itself looked legit, the URL the button wanted to take me to was this (url obfuscated to avoid it being crawled or clicked);
So on the face of it, it isnt screaming SCAM as it came from what appeared to be a totally legitimate Google email!
NEVER CLICK ON LINKS IN EMAILS OR BUTTONS IN EMAILS IF YOU ARE UNSURE OF THE LEGITIMACY OF THE EMAIL. LEAVE THAT TO IDIOTS LIKE ME.
The URL itself (opened in a controlled environment) opened a page with what appeared to be a Captcha;
Looking into the source code, the page was quite simple and in fact looked like it had been ripped from a template somewhere – there were placeholders like this;
Which is quite surprising, considering how much effort they had put into the rest of it. That said, the implementation of this scam is quite advanced in that they are using an SVG (which is essentially an image) to contain the Base64 encoded payload.
What the page is trying to do is this; the captcha is there to stop Bots and stuff from finding their fake Google Login page, which is what the page was going to redirect me to once I filled in the Captcha.
hXXps://accounts.authenticationsystems.cloud
That is the URL that I decoded from the Base64 hash you can see in the above screenshot. The URL doesn’t work, so maybe had they had already been shut down by the time I got to it?
Why This Scam Seems to Go Nowhere?
So it seems strange that the final step in this puzzle is a dead end. Why go through so much effort, to then fall at the final hurdle?
Well in some cases, that the point. These scams are like a burn-and-rotate kind of scam. The first step is the super convincing email, the second step is like a “gatekeeping” step to stop bots and stuff from following links and flagging the website as malicious.
The final bit of the scam is the piece that can link the perpetrator – and this is the bit that get burned quickly after the scam has taken place. I have reached out to the Cloud domain registrar to see if that domain was in fact registered, and if so – who to – but due to GDPR I dont suspect they will give me any info. I’d like confirmation on whether it was ever registered or not though.
If it had loaded, it would have probably looked identical to a Google login page, and at that point if I had input my details, it would have pretended to log in, send my Google details to some dodgy person somewhere or store them in a file on their server, and then redirect me back to a legitimate Google login page.
I will update this post if I hear back from the Cloud registrar.
UPDATE 15/12/25
I received this on Friday – result!
They confirmed afterwards that the domain was already suspended by the time i had emailed them – which I sort of suspected to be honest anyway. I dont think it was registered long, and in fact there was no WHOIS info available, so its likely it was only online for a very brief period of time. At least its not just me fighting the good fight!
My take-away from all this, is that with the rise in AI and tools that can help you make phishing sites with the click of a button, we are gonna have to be on our toes 100% of the time to ensure we stay safe. This particular scam was so detailed, and had almost no red flags at all. This would have fooled even the most switched-on user.
