A sophisticated phishing campaign is exploiting Google Cloud infrastructure to bypass email security filters and steal Microsoft 365 credentials, demonstrating how attackers increasingly abuse trusted cloud platforms to lend legitimacy to their malicious activities.
Cybersecurity researchers at Check Point have uncovered a large-scale operation targeting approximately 3,200 organizations, resulting in over 9,300 phishing emails over a 14-day period.
The attackers weaponized Google Cloud Application Integration’s Send Email feature to distribute messages from the legitimate Google address the emails appear authentic and evading traditional spam filters.
The campaign employs a multi-stage redirection technique designed to exploit user trust while evading automated security tools.
Recipients receive professionally crafted emails mimicking routine Google notifications voicemail alerts, document sharing requests, or permission notifications that closely replicate Google’s authentic formatting and language.
When victims click the embedded link, they are first directed to a legitimate storage.cloud.google.com URL, establishing initial trust.
The attack then redirects through googleusercontent.com, where users encounter a fake CAPTCHA verification designed to filter out automated security scanners while allowing real users to proceed.
After passing this validation layer, victims land on a convincing Microsoft 365 login page hosted on a non-Microsoft domain, where any entered credentials are captured by the attackers.
Why This Campaign Works
Google Cloud Application Integration is a legitimate workflow automation tool that allows users to connect applications and automate business processes through point-and-click configurations.
New customers receive $300 in free credits, significantly lowering the barrier to entry for cybercriminals.
The platform’s Send Email task, intended for legitimate system notifications, can be configured to send emails to arbitrary recipients a capability the attackers exploited without compromising Google’s infrastructure itself.
The use of authentic Google domains throughout multiple stages of the attack provides inherent credibility that helps bypass both technical security controls and human scrutiny, as users have been trained to trust communications from recognizable platforms.
Analysis reveals the campaign primarily targeted manufacturing and industrial organizations (19.6%), technology and SaaS companies (18.9%), and financial services firms (14.8%).
These sectors frequently use automated notifications and document-sharing workflows, making Google-branded alerts particularly convincing.
Geographically, nearly half of affected organizations were based in the United States (48.6%), followed by Asia-Pacific (20.7%) and Europe (19.8%).
Google’s Response
Google confirmed it has blocked several phishing campaigns involving the misuse of the email notification feature and implemented protections against this specific attack vector.
The company emphasized that the activity stemmed from abuse of a workflow automation tool rather than a compromise of Google’s infrastructure and stated it is taking additional steps to prevent further misuse.
Organizations and individuals should verify the actual domain of any login page before entering credentials, as password managers can help by refusing to auto-fill credentials on spoofed sites.
Implementing multi-factor authentication (MFA) ensures stolen passwords alone cannot compromise accounts, while regularly reviewing and removing unrecognized app permissions adds an additional security layer.
Users should approach urgent emails about voicemails or document shares with skepticism, even when appearing to originate from trusted brands. Instead of clicking email links, accessing services directly through bookmarks or applications provides safer authentication.
This campaign underscores the evolving sophistication of phishing attacks and the persistent challenge of distinguishing legitimate automated communications from malicious impersonations, even when trusted infrastructure is involved.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.