In March of 2014, cybercriminals ran a campaign of Google Drive phishing attacks designed to grab user credentials and gain complete account access. According to Threatpost, researchers at Elastica Cloud Threat Labs have discovered a new effort with eerily similar traits but one significant update: Additional code is now being used to obfuscate the attempted theft. Here’s a quick rundown of the newest Google threat.

Seems Legitimate

With their new effort, attackers hope to trick users into clicking on a provided Google Drive link and enter their login credentials. But how are savvy users getting taken in by this kind of scam? It has to do with Drive itself. While most people use the service to store spreadsheets, photos and text documents, it’s also possible to host entire websites or single Web pages.

As noted by CSO Online, that’s the bait and switch: Drive is used to host a simple Web page that looks like the Google account login screen and asks for user credentials. Extra code is used to obfuscate JavaScript on the page, which collects login credentials and then forwards them to another website.

From the user perspective, everything seems above board. First, they receive an email saying a trusted contact or unknown entity wants to share a Drive document with them. Clicking the link takes them to a fake Google login page — but one that’s actually hosted by Google Drive itself. What’s more, the page also uses Google’s HTTPS and SLL certificate, making it almost impossible to distinguish from the real thing. Once users enter their username and password, they’re redirected to a PDF document, making the entire scam appear legitimate. Account login information, however, is long gone.

According to Aditya K. Sood of Elastica Cloud Threat Labs, there are a few telltale signs that the attack isn’t a legitimate sharing request. First is the header on the fake Drive page, which reads “Google Drive. One Storage.” What it should say is “One account. All of Google.” In addition, the fake page isn’t set up to actually check credentials; it simply sends them along to another server. This means that if users enter the wrong login and password, they’ll still be taken to off-site PDF documents. Finally, there’s a “Create an Account” link that simply reloads the current page.

Phishing Attacks in a Big Pond

While Sood and her colleagues immediately brought the phishing attacks to Google’s attention, this form of compromise continues to be a popular attack vector. According to Firstpost, for example, phishing attacks triggered a “massive surge in DNS threats” through Q2 of 2015, hitting a record high of 133 on the Infoblox DNS Threat Index during the quarter, almost tripling the score of Q2 2014.

While agencies are doing their best to combat phishing scams, many aren’t even sure what they’re looking for. After the recent U.S. Office of Personnel Management (OPM) breach in April, for example, the U.S. Army flagged an email from identity protection firm CSID as a phishing attempt even though the company was employed by OPM to offer affected workers their services. While the email did share some traits of classic phishing scams — such as a dot-com address instead of dot-gov, as would be expected, a link that asks for personal information and clickable “Enroll Now” button — a quick look at the OPM’s official website would have cleared up any confusion.

There’s a massive pool of users leveraging countless secure and not-so-secure online services, giving malicious actors the ability to pick and choose what type they’ll reel in on any given day. As user knowledge increases, however, cybercriminals are turning to obfuscation and subtle misdirection to gain access — to the point that even large-scale government agencies can’t tell the difference. Best bet? Assume there’s a hook at the end of every unsolicited email — it’s never worth the risky bite.