Overview — New Phishing Campaign Abuses Google Cloud Email Features
Cybersecurity researchers have uncovered a sophisticated phishing campaign in which threat actors are misusing Google Cloud’s legitimate automation features — notably Google Cloud Application Integration — to send phishing emails that look like authentic Google notifications. This significantly increases their chance of bypassing email security filters and fooling recipients. (The Hacker News)
How Attackers Abuse the System
- The attackers leverage the “Send Email” task in Google Cloud Application Integration — a feature designed for automation and workflow notifications — to distribute emails.
- Because the emails originate from a legitimate Google address (e.g.,
noreply‑application‑[email protected]) and use trusted infrastructure, they pass standard authentication checks such as SPF, DKIM and DMARC that most corporate email filters rely on. (MalwareTips Forums) - Messages are crafted to mimic routine enterprise alerts like voicemail notifications, Tasks updates, or file access requests, making them appear normal and credible to recipients. (TST For Everything IT)
Multi‑Stage Attack Flow — How the Scams Fool Victims
The campaign does not simply send a fake email — it uses a layered redirection chain designed to evade detection and harvest credentials:
- Trusted Sender: Email arrives from Google’s real automation domain, helping it land in the inbox instead of spam. (Expert Insights)
- Believable Content: The mail closely mimics Google’s UI and language, referencing typical enterprise workflows (e.g., “View voicemail,” “Access shared file”). (ThaiCERT)
- Redirection via Trusted Cloud Links: Clicking a link first takes users to a trusted Google Cloud Storage URL — storage.cloud.google.com — which avoids reputation‑based blocking. (Expert Insights)
- Fake Verification Step: Users are then shown a bogus CAPTCHA/verification page hosted on googleusercontent.com that’s designed to block automated security scanners while letting humans through. (The Hacker News)
- Credential Harvesting: Finally, victims are redirected to a fraudulent login page imitating Microsoft 365 or Google sign‑in interfaces, where their credentials are stolen. (ThaiCERT)
This multi‑stage redirection dramatically increases success rates because it uses trusted domains at each step and evades many automated defenses. (Expert Insights)
Scale and Targets
- In December 2025 alone, researchers observed over 9,000 phishing emails sent using this method to roughly 3,200 organizations worldwide. (The Hacker News)
- Affected sectors include manufacturing, technology, finance, professional services, retail, and others — although no industry is truly immune given the general use of Google Cloud and enterprise notifications. (ThaiCERT)
- Geographically, targets spanned the U.S., Europe, Asia‑Pacific, Canada and Latin America, showing that this is a global campaign. (Expert Insights)
What Makes These Attacks Particularly Dangerous
1. Legitimate Infrastructure Is Misused
Traditional phishing often relies on spoofed domains or compromised mail servers. In this campaign, attackers do not need to compromise Google itself — they simply abuse a cloud feature, meaning emails are legitimately signed and trusted by many systems. (Forbes)
2. Bypassing Security Controls
- Because messages originate from Google‑owned infrastructure, they often skip spam filters and bypass domain authentication blocks. (TST For Everything IT)
- The use of trusted hosting (Google Cloud Storage, googleusercontent.com) means reputation‑based protections and many secure email gateways may not flag malicious links. (Expert Insights)
3. Sophisticated Redirection
The layered redirection — including CAPTCHA‑style intermediate steps — actively evades automated scanners designed to detect malicious landing pages. (The Hacker News)
4. Credential Theft and OAuth Consent Phishing
In some variants of the campaign, attackers also employ OAuth consent phishing, tricking users into granting malicious applications access to cloud resources — including Azure subscriptions, virtual machines and storage — through delegated tokens. (The Hacker News)
Security & Expert Commentary
Analysts Warn That
- This campaign highlights a shift: attackers are now exploiting trusted cloud workflow tools rather than just spoofing domains. This makes phishing much harder to detect with conventional tools. (MalwareTips Forums)
- Enterprises should not automatically trust messages from major cloud providers’ domains — verification should include context and expected workflows. (MalwareTips Forums)
Community & Security Team Concerns
Cybersecurity professionals — including incident responders and SOC analysts — have noted that this type of threat reframes how cloud‑generated emails are viewed in security design, sparking debates about whether:
- Trusted cloud senders should be treated differently
- End‑user awareness can realistically keep up with such advanced campaigns
- Technical defenses need to evolve beyond SPF/DKIM/DMARC checks for trusted senders (Reddit)
Best Defenses & Mitigation Steps
For Organizations
- Do not implicitly trust emails from cloud provider domains for critical actions. Even native Google Cloud emails can be weaponised. (MalwareTips Forums)
- Monitor and alert on suspicious Google Cloud senders like
[email protected]unless your org uses that feature legitimately. (MalwareTips Forums) - Enforce phishing‑resistant MFA (e.g., FIDO2 security keys or passkeys) to reduce impact if credentials are captured. (MalwareTips Forums)
- Tighten conditional access and session/token management to limit the damage from stolen tokens. (MalwareTips Forums)
For End Users
- Treat unexpected cloud notifications — even from seemingly trusted addresses — with skepticism. (MalwareTips Forums)
- Verify directly by navigating to services (Google Drive, Office 365) via bookmarks instead of clicking links in email. (MalwareTips Forums)
- If you click and enter credentials:
- Change your password immediately
- Revoke sessions and tokens
- Report the incident to your IT or SOC team
- Run antivirus and endpoint detection scans (MalwareTips Forums)
Key Takeaways
| Aspect | Summary |
|---|---|
| Attack Vector | Abuse of Google Cloud Application Integration to send phishing emails. (The Hacker News) |
| Target Scale | ~9,400 emails targeting ~3,200 orgs globally within two weeks. (Expert Insights) |
| Technique | Multi‑stage redirection through trusted domains to harvest credentials. (ThaiCERT) |
| Impact | Bypasses traditional email security controls and deceives users with credible cloud‑generated emails. (TST For Everything IT) |
| Mitigation | Enhanced MFA, phishing‑resistant controls, and user training. (MalwareTips Forums) |
Bottom Line: Cybercriminals are increasingly leveraging trusted cloud infrastructure and legitimate automation features to power sophisticated phishing campaigns. This shift makes detection harder and underscores the need for layered defenses, user education and critical scrutiny of even legitimate‑looking system notifications. (Hackread)
Here’s a case‑study‑style breakdown of the sophisticated multi‑stage phishing attacks abusing Google Cloud email features, how they played out in real campaigns, and expert/end‑user comments and analysis:
Case Study 1 — Phishing Campaign Abuses Google Cloud Application Integration
How It Worked (Operational Detail)
In December 2025, cybercriminals launched a large, coordinated phishing campaign that misused Google Cloud’s legitimate automation feature — Application Integration. Instead of spoofing domains or compromising mail servers, the attackers abused the platform’s “Send Email” task to send phishing emails that originated from a legitimate Google address (noreply‑application‑[email protected]). Because the emails used Google infrastructure, they passed standard SPF, DKIM and DMARC checks, helping them get delivered straight to inboxes and bypass traditional spam filters. (The Hacker News)
- Scale: ~9,394 phishing emails targeting about 3,200 organizations globally over a 14‑day period. (The Hacker News)
- Target sectors: Manufacturing, technology/SaaS, finance, professional services, retail and more. (Expert Insights)
- Typical lure text: Messages mimicked Google notifications — voicemail alerts, file access or task notifications — prompting users to click embedded links. (The Hacker News)
Why this case matters: Threat actors aren’t just spoofing email — they are leveraging trusted cloud infrastructure to make phishing far more credible. (The Hacker News)
Case Study 2 — Multi‑Stage Redirection & Credential Harvesting
Attack Flow Breakdown
The campaign used a multi‑stage redirection process designed to evade security detection and steal credentials:
- Trusted first hop: Users received emails with links pointing to
storage.cloud.google.com— a Google‑owned domain trusted by email filters. (MalwareTips Forums) - Human‑friendly roadblock: The link then took users to a page on
googleusercontent.compresenting a fake CAPTCHA/verification step — preventing automated scanners from flagging the site. (MalwareTips Forums) - Credential capture: After passing this step, users were redirected to a fraudulent Microsoft 365 login page hosted on a non‑legitimate domain, where attackers harvested credentials. (MalwareTips Forums)
Key insight: by chaining trusted domains (Google’s own services in each hop), the attackers greatly increased the campaign’s credibility and reduced automated defence detection. (MalwareTips Forums)
Why These Attacks Are Dangerous
Trusted Sender Infrastructure Used
Unlike traditional phishing that fakes sender domains or compromises legitimate mailboxes, this campaign leveraged a genuine automation tool and truly valid Google domains. Emails authenticated correctly and appeared legitimate in inboxes — a major blind spot for basic email filters. (TST For Everything IT)
Visual and Contextual Fidelity
The phishing emails used high‑fidelity UI and copy that mirrored Google notifications (Tasks, file access, voicemail), reducing user suspicion especially in business environments where such notifications are routine. (TechRepublic)
Multi‑Stage Redirection to Evade Scanning
Layered redirects and fake human‑validation pages prevented many security scanning tools from tracing the final malicious landing page, making detection harder. (Expert Insights)
Expert & Community Commentary
Security Researchers
Cybersecurity analysts emphasise this campaign as a shift in phishing tactics: attackers are no longer relying on obvious spoofing or compromised systems, but on misusing trusted cloud features to deliver harmful content. This means standard email authentication checks aren’t sufficient anymore. (The Hacker News)
One researcher commented that this kind of trusted platform abuse makes “phishing far more convincing and far less detectable by conventional controls.” (TechRepublic)
SOC / Security Operations Views
In technical forums, defenders stress that trusted domain status is no guarantee of safety — even emails from major SaaS providers can be abused. Analysts argue for behavioral analysis and link inspection beyond SPF/DKIM/DMARC. (Reddit)
One post highlighted:
“This isn’t typical phishing — this is phishing behind the veneer of cloud trust… SOC teams need to adapt their filtering criteria.” (Reddit)
Impact & Lessons
Organizational Impact
- High‑profile phishing campaigns like this can lead to credential theft, unauthorised access to corporate systems, identity compromise, and cloud resource breaches. (Expert Insights)
- Because attackers used Microsoft login impersonation, stolen credentials could be reused across services — compounding risk. (MalwareTips Forums)
Key Takeaways
| Aspect | Why It Matters |
|---|---|
| Use of cloud automation | Makes phishing look legitimate, bypassing typical controls. (TST For Everything IT) |
| Multi‑stage redirects | Evade scanning and security tools. (MalwareTips Forums) |
| Targeted sectors | Broader risk beyond tech — manufacturing, finance, SaaS firms also hit. (Expert Insights) |
| Credential theft focus | Leads to further compromise if MFA isn’t enforced. (MalwareTips Forums) |
Defensive Measures (Practical Guidance)✔ For Organizations
- Do not trust cloud‑generated domains by default — even legitimate automation emails can be phishing. (MalwareTips Forums)
- Use advanced email security solutions that inspect link behavior and final landing domains, not just domain authentication. (MalwareTips Forums)
- Enforce phishing‑resistant MFA (e.g., security keys or passkeys) to reduce damage from credential harvesting. (MalwareTips Forums)
For Users
- Treat unexpected notifications or task alerts as suspicious — even from trusted senders. (MalwareTips Forums)
- Hover before clicking: examine the actual URL of buttons/links. (MalwareTips Forums)
- If you inadvertently entered credentials on a suspicious page, change passwords immediately and revoke sessions/tokens. (MalwareTips Forums)
Summary
This multi‑stage phishing campaign shows a concerning evolution in cybercriminal tactics, where trusted cloud services and legitimate automation features are abused to deliver convincing phishing emails that bypass conventional security controls. By blending trusted infrastructure, familiar branding and layered redirection, attackers increase their success rate. The key lesson for security teams and end users alike is that legitimate appearance does not equal legitimacy, and stronger, behavior‑based defences — combined with user education — are essential to stay ahead. (TST For Everything IT)