In a rapidly evolving landscape of cybersecurity threats, attackers are increasingly leveraging popular tools like Google Forms and SVG image files to execute phishing schemes and distribute malware. Recent reports indicate that these tactics are becoming more sophisticated, targeting unsuspecting users and organizations alike.
Since its launch in 2008, Google Forms has captured nearly 50% of the market share in its category, making it a trusted tool for businesses, educators, and individuals. However, this widespread trust and accessibility have made it an ideal target for cybercriminals aiming to harvest sensitive data such as login credentials and financial information. The free, user-friendly nature of the platform, combined with its legitimacy as a Google service, allows attackers to craft convincing scams that often bypass traditional email security filters. They exploit Transport Layer Security (TLS) encryption and dynamic URLs to evade detection.
Cybercriminals employ Google Forms in multiple malicious ways, primarily focusing on phishing attacks. They design forms mimicking trusted entities like banks, universities, or social media platforms to steal user credentials or financial details. According to recent reports, these forms are often distributed via spoofed phishing emails, sometimes originating from hijacked legitimate accounts, increasing their perceived authenticity.
Beyond data theft, attackers use these forms to redirect victims to malware-laden websites or engage in call-back phishing (vishing), urging users to dial provided numbers under fabricated emergencies. For instance, the BazarCall campaign tricked users into calling fraudulent numbers over fictitious charges using fake PayPal or Netflix forms. Additionally, targeted phishing attacks on U.S. universities detected by Google last year used university branding to harvest logins.
Another significant threat comes from the rise in phishing attacks delivered via SVG image files, as observed by Kaspersky. In March 2025 alone, incidents involving these attacks increased almost sixfold compared to February. Attackers are distributing phishing emails to individuals and organizations, utilizing SVG file attachments—typically associated with image storage—to lure recipients into disclosing sensitive information.
Opening one of these malicious SVG files can lead unsuspecting users to phishing websites that mimic popular services from companies like Google and Microsoft. Kaspersky reported detecting over 4,000 such emails globally since the start of the year. The SVG files exploit their compatibility with JavaScript and HTML to embed scripts that redirect victims to phishing websites when opened.
A typical scenario involves the SVG attachment functioning as an HTML page containing no actual graphics. When opened, the file displays a web page with a link purporting to be an audio file. Clicking this link redirects the user to a phishing page designed to resemble Google Voice, where the supposed audio is merely a static image. Further interaction, such as pressing the "Play Audio" button, leads users to a fraudulent corporate email login page.
In addition to the SVG attacks, Mandiant’s recent findings reveal that criminals are increasingly using stolen credentials to gain access to victims' IT systems. For the first time, compromised login details have surpassed email phishing as a primary initial infection vector. Mandiant’s M-Trends 2025 report indicates that 55% of attackers active in 2024 were financially motivated, a slight increase from the previous year.
In 2024, Mandiant began tracking 737 new threat clusters, bringing the total number of groups monitored to more than 4,500. Across last year's incident response engagements, the team observed 302 different threat groups, 233 of which were newly identified. Exploits remained the top entry point overall for the fifth consecutive year, while phishing accounted for 39% of cloud compromises, with stolen credentials close behind at 35%.
Interestingly, the most commonly observed initial infection vector for ransomware infections was brute-force attacks (26%), followed by stolen credentials (21%). Email phishing has been on the decline since 2022, representing only 14% of investigations last year, down from 22% three years ago.
One notable example of the dangers posed by stolen credentials is the Snowflake customer breaches, where a group tracked by Google/Mandiant, known as UNC5537, accessed Snowflake customers' cloud databases using stolen credentials obtained via infostealer malware. This highlights the significant risks organizations face when employee credentials are compromised, often without their knowledge.
As these threats continue to evolve, experts emphasize the importance of implementing robust security measures. Organizations and individuals must adopt a multi-layered defense strategy, deploying advanced security software capable of detecting suspicious patterns and blocking malware downloads. Maintaining vigilance against unsolicited communications that prompt urgent actions, such as clicking links or calling numbers, is critical.
Users should verify the authenticity of such requests by contacting the supposed sender through official channels. Google’s warning on forms to "Never submit passwords through Google Forms" serves as a crucial reminder to exercise caution. In the event of a suspected breach, immediate steps like changing passwords, running malware scans, freezing affected financial accounts, and monitoring for unusual activity are essential.
As the landscape of cyber threats continues to shift, staying informed and skeptical of unsolicited outreach, even from seemingly trusted brands, can significantly enhance one’s defenses against the evolving menace of phishing and malware attacks.
