However, according to security researcher Marcel Afrahim, the cloud-based platform can also be abused to bypass security controls and funnel victims to malicious landing pages.
By setting up a raft of invalid subdomains, all of which redirect automatically to a central malicious application, attackers can conceal their activity with ease.
Traditionally, security professionals shield users from malicious applications by identifying and blocking requests to and from dangerous subdomains.
Each subdomain created using the platform contains a marker that indicates the app version, service name, project ID and region ID. But if any of these pieces of information is invalid - providing the project ID is correct - the subdomain redirects automatically to a default page instead of serving a 404 error message.
This practice, known as soft routing, could allow scammers to create a vast pool of subdomains, all of which lead to a single malicious landing page.
If a request matches the PROJECT_ID.REGION_ID.r.appspot.com portion of the hostname, but includes a service, version or instance name that does not exist, then the request is routed to the default service, which is essentially your default hostname of the app.
The researcher tweeted a list of more than 2,000 subdomains - generated automatically using Google App Engines domain generator - all of which led to a phishing landing page disguised as a Microsoft sign-in portal.
Original article