Over 3,000 organisations, predominantly in manufacturing, fell victim to a sophisticated phishing campaign in December 2025 that leveraged Google’s own application infrastructure to bypass enterprise email security controls.
Attackers sent deceptive messages from [email protected], marking a critical shift in how threat actors exploit trusted platforms.
Unlike traditional phishing attempts that rely on domain spoofing or compromised mail servers, this campaign operated entirely within legitimate Google systems.
The emails passed all standard authentication checks, SPF, DKIM, DMARC, and CompAuth, creating a fundamental blind spot for conventional email security tools.
How the Attack Worked
The phishing emails impersonated legitimate Google Tasks notifications, claiming to be internal task assignments requesting employee verification.
Recipients were prompted with calls to action such as “View task” or “Mark complete,” which redirected to a malicious page hosted on Google Cloud Storage.
The attack exploited three critical vulnerabilities in traditional security models:
Trusted Sender Infrastructure: Emails originated from valid Google systems, inheriting Google’s high sender reputation and near-universal allowlisting across organizations.
High-Fidelity Brand Impersonation: The messages replicated Google Tasks UI, branding, and familiar notification buttons with striking accuracy, making them visually indistinguishable from legitimate communications.
Payload on Trusted Domains: Rather than hosting malicious content on suspicious domains, attackers leveraged Google Cloud Storage URLs, rendering URL reputation-based detection ineffective.
Most email security platforms rely on sender reputation, domain trust, and authentication verification.
When all three elements are legitimate, as they were here, the email bypasses detection.
The contextual mismatch of Google Tasks being weaponised for HR verification, or legitimate workflows triggering Cloud Storage redirects, remains invisible to conventional tools.
Security researchers at RavenMail detected the campaign by analyzing intent and workflow context rather than relying solely on sender credentials.
The email displayed apparent behavioral inconsistencies: internal tasks originating from external Google addresses, and Cloud Storage endpoints incompatible with legitimate Google Tasks operations.
This campaign reflects an emerging pattern in which attackers abuse Google’s own cloud services, including AppSheet, Google Forms, and Application Integration, as delivery mechanisms for phishing.
The threat extends beyond Google; any trusted SaaS platform with email-sending capabilities becomes a potential attack vector.
Organizations must evolve beyond trust-based email security models toward intent-centric detection systems that analyze workflow legitimacy and contextual fit, regardless of sender reputation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.