Phishers Hide Behind Google Slides Publish Feature

A phishing campaign targeting Vivaldi Webmail users demonstrates how attackers can weaponize Google's own infrastructure to bypass security controls. The attack exploits a subtle difference between how Google Slides handles shared documents versus published presentations—and that difference makes all the difference for victims.

The SANS Internet Storm Center documented the campaign on January 30, showing how threat actors used Google's legitimate "Publish to web" feature to strip away the warning banners that normally alert users to potential phishing content.

The Publish Feature Loophole

Google Docs, Sheets, and Slides normally display a footer warning when someone views a shared document from an untrusted source. The message cautions users that the content may be malicious and advises against entering sensitive information.

But when a presentation is published rather than shared, that footer disappears entirely.

The attackers created a single-slide presentation designed to look like a Vivaldi Webmail login page. By publishing it through Google's official workflow, they obtained a clean URL hosted on docs.google.com with no visible security indicators warning users away.

The published URL follows a recognizable pattern: https://docs.google.com/presentation/d/e/[document-ID]/pub?start=false&loop=false&delayms=30000

Those URL parameters—start=false, loop=false, and delayms—are standard slideshow controls that the attackers configured to display a static-looking page rather than an auto-advancing presentation. To an average user, the result looks like a legitimate login form hosted on Google's trusted domain.

Attack Chain

The campaign targeted Vivaldi Webmail users with phishing emails claiming their accounts needed verification. Recipients who clicked through landed on the Google-hosted presentation, saw what appeared to be a Vivaldi login page, and faced no warnings from Google about the content's legitimacy.

Users who entered credentials were redirected to the actual credential harvesting infrastructure: a site built using Square's Weebly platform at vivaldiwebmailaccountsservices[.]weeblysite[.]com. The phishing form captured whatever users typed before sending them along to the real Vivaldi webmail—a common technique to delay victims from realizing they'd been compromised.

This represents a shift in hosting strategy. Earlier this month, we covered how attackers were abusing Google Cloud Application Integration to send phishing emails that bypassed DMARC and SPF. That campaign used Google's email infrastructure for delivery. This one uses Google's document infrastructure for hosting. Both exploit the fundamental trust that security tools place in Google's domains.

Why It Works

The attack's effectiveness stems from three factors working together:

Legitimate domain trust. Security tools that evaluate URLs by domain reputation give docs.google.com a pass. URL filtering and web proxies that would block unknown domains won't flag traffic to Google's document platform.

Missing security context. The publish feature exists for legitimate use cases—conference presentations, public reports, embedded content—and wasn't designed with adversarial abuse in mind. The absence of security warnings in published mode is a feature, not a bug, from Google's perspective.

Visual deception. A single-slide presentation with a fake login form doesn't look like a slideshow. It looks like a web page. Users unfamiliar with Google's URL structure have no reason to suspect the page isn't what it claims to be.

Vivaldi's Response

Vivaldi acknowledged the campaign and confirmed their administrators blocked the sending addresses at the server level. The Weebly-hosted phishing domain has since been taken down after reports to Square.

On their community forums, Vivaldi staff warned that anyone who entered credentials should change their passwords immediately and enable two-factor authentication. They also noted the campaign appeared to be "large-scale" based on the volume of user reports.

Broader Implications

This technique isn't limited to targeting Vivaldi users. Any organization could become the target of a similar campaign. The attack template requires minimal technical skill—create a convincing login page in Google Slides, publish it, craft a phishing email, and host a simple credential capture form somewhere.

The pattern mirrors broader trends in how attackers exploit trusted platforms to bypass security controls. When every major cloud provider offers some combination of file hosting, email sending, and web publishing, threat actors can mix and match services to build attack infrastructure that looks legitimate at every hop.

For defenders, the challenge is distinguishing malicious use of trusted services from legitimate use. That's not a problem with a clean technical solution.

Mitigation Measures

Organizations can take several steps to reduce exposure to trusted-platform phishing:

1. Train users to recognize URL patterns. A login page should be hosted on the organization's actual domain, not embedded in a Google Slides URL.

2. Implement phishing-resistant MFA. Hardware security keys and passkeys prevent credential theft even when users fall for convincing phishing pages. Password-based authentication with SMS or app-based MFA remains vulnerable to real-time phishing proxies.

3. Deploy browser extensions that flag suspicious login pages. Some enterprise security tools can detect when a login form appears on an unexpected domain.

4. Monitor for brand abuse. Organizations can search for their brand names appearing in published Google documents and report malicious content to Google for takedown.

Google hasn't announced any plans to add security warnings to published presentations. The feature works as designed—the problem is that the design didn't anticipate weaponization. Until that changes, published Google documents remain a viable hosting option for phishing pages that need to borrow trust from a major platform.