A sophisticated new phishing campaign has emerged, leveraging the trusted infrastructure of Google Cloud services to bypass security filters and steal sensitive Microsoft 365 login credentials.
By abusing legitimate workflow automation tools, threat actors are crafting convincing attacks that blend seamlessly with authentic communications, making detection increasingly difficult for both automated systems and end-users.
This campaign specifically targets organizations relying on cloud-based collaboration platforms, exploiting the interoperability between major service providers to facilitate credential harvesting on a massive scale.
The core of this attack involves the exploitation of Google Cloud Application Integration, a service designed for automating business processes.
Attackers utilize the “Send Email” feature within this platform to generate phishing emails that appear to originate from a genuine Google address: noreply-application-integration@google[.]com.
Because these emails come from a verified Google domain and utilize a point-and-click configuration system, they easily evade standard spam filters and leverage the inherent trust associated with the tech giant’s infrastructure to deceive targets.
Malwarebytes researchers identified that this method significantly lowers the barrier to entry for cybercriminals, especially since new Google Cloud customers currently receive free credits which attackers abuse.
The impact of this campaign is severe, as it exposes critical corporate credentials to theft. Once the initial email is delivered, unsuspecting users are presented with what appears to be a routine notification, such as a voicemail alert or a document permission request, further legitimizing the malicious correspondence.
The Infection Mechanism
The attack employs a clever multi-stage infection mechanism to evade detection. When a victim clicks the link in the phishing email, they are not immediately taken to a malicious site.
Instead, they are directed to a legitimate Google Cloud Storage URL, which reinforces the illusion of safety.
From there, the user is redirected to another Google-owned domain, googleusercontent[.]com, which displays a CAPTCHA or “I’m not a robot” image check.
This intermediate step serves two critical purposes: it successfully filters out automated security crawlers that might flag the phishing site and psychologically primes the victim to comply.
Upon passing the check, the target is finally redirected to a fraudulent Microsoft 365 sign-in page designed to capture usernames and passwords. Although this page visually mimics the official portal, a close inspection of the web address reveals its malicious nature.
Google has acknowledged this abuse and stated that they have blocked several associated campaigns, clarifying that this activity stems from the misuse of a workflow automation tool rather than a compromise of their infrastructure.
Security professionals are advised to inspect URLs carefully, as the final landing page is hosted on non-official domains, and to implement robust multi-factor authentication to protect user accounts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
