Phishing Campaign Abuses Google Cloud Application Integration to Impersonate Google Emails
Cybercriminals have launched a sophisticated phishing campaign that exploits Google Cloud's Application Integration service to send emails that closely mimic legitimate Google notifications. By leveraging the service's "Send Email" task, attackers are able to distribute messages from the trusted noreply-application-integration@google.com address, effectively bypassing traditional email security measures such as DMARC and SPF. The phishing emails are crafted to resemble routine enterprise communications, including voicemail alerts and file access requests, increasing the likelihood that recipients will trust and interact with them. Over a two-week period, nearly 9,400 phishing emails targeted approximately 3,200 organizations across the U.S., Asia-Pacific, Europe, Canada, and Latin America.
The attack chain employs a multi-stage redirection process to evade detection and maximize credential theft. Initial links in the emails direct users to legitimate Google Cloud URLs (storage.cloud.google.com), followed by a redirection to googleusercontent.com where a fake CAPTCHA is presented to bypass automated scanners. The final stage leads victims to a counterfeit Microsoft login page hosted on a non-Microsoft domain, designed to harvest user credentials. This campaign demonstrates the increasing abuse of trusted cloud infrastructure for phishing, highlighting the need for organizations to scrutinize even seemingly authentic emails originating from reputable domains.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google blocks the email-feature abuse and adds protections
Google confirmed the attackers had misused a workflow automation tool and stated that its infrastructure was not compromised. The company said it had blocked the abuse of the notification capability and implemented additional safeguards against this attack path.
Researchers detect and publicly disclose the Google cloud phishing campaign
On January 2, 2026, multiple security reports disclosed the campaign after researchers including Check Point identified nearly 9,400 phishing emails sent over roughly two weeks. The disclosures highlighted abuse of Google's workflow automation tools rather than a compromise of Google's infrastructure.
Attackers use multi-stage Google-hosted redirects to steal credentials
During the campaign, victims were routed through trusted Google services such as Google Cloud Storage and googleusercontent.com, sometimes via fake CAPTCHA or verification pages, before reaching counterfeit Microsoft 365 or Google login pages. The technique helped the phishing emails bypass SPF, DMARC, and reputation-based defenses while harvesting credentials and, in some cases, enabling OAuth abuse.
Phishing campaign abuses Google Cloud email features in December 2025
In December 2025, attackers launched a large-scale phishing campaign using Google Cloud Application Integration to send emails from legitimate Google-owned addresses. The operation targeted more than 3,000 organizations or customers across multiple regions and industries, especially manufacturing, technology, finance, and related sectors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Threat Actors Leversges Google Cloud Services to Steal Microsoft 365 Logins
cybersecuritynews.com
Open sourceNew Sophisticated Phishing Attack Mimic as Google Support to Steal Logins
cybersecuritynews.com
Open sourceTrusted Google Notifications Used in Phishing Campaign Targeting 3,000+ Orgs
techrepublic.com
Open sourceGoogle Cloud Application Integration Exploited in Sophisticated Multi-Stage Phishing Campaign Targeting Microsoft 365 Credentials
rescana.com
Open sourceHackers Abusing Google Tasks Notification for Sophisticated Phishing Attack
cybersecuritynews.com
Open sourceCybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign
thehackernews.com
Open sourcePhishing campaign abuses Google Cloud Application to impersonate legitimate Google emails
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaign Impersonates Google Careers to Steal Credentials
Threat actors are conducting a phishing campaign that impersonates Google Careers recruiters to target job seekers. The attackers send messages that appear to be outreach from Google’s recruiting team, often asking if the recipient is open to a conversation. Victims are directed to a landing page designed to mimic Google’s meeting scheduler, which then leads to a fake Google login page. The primary goal is to harvest Google account credentials, along with personal information such as names, email addresses, and phone numbers. Researchers have observed that the campaign is actively evolving, with threat actors refining their tactics to evade detection and using newly registered domains that closely resemble legitimate Google infrastructure. The phishing emails are being distributed in multiple languages, including English, Spanish, and Swedish, and employ various evasion techniques such as HTML tricks to bypass email security scanners. Notable red flags include brand impersonation, domain deception, urgent response requests, and misalignment between the claimed sender and the actual sender domain. The campaign relies heavily on social engineering and exploits the urgency and excitement associated with job offers to trick victims into divulging sensitive information. Security experts recommend heightened vigilance and security awareness training to help users recognize and avoid such scams.
Mar 21, 2026
GTFire Phishing Scheme Uses Google Services to Evade Detection
Group-IB reported on a phishing operation tracked as **GTFire** that abuses trusted Google services to reduce suspicion and bypass security controls. The campaign uses legitimate Google infrastructure as part of its delivery or redirection chain, allowing phishing content and lures to blend in with normal enterprise traffic and making detection more difficult for defenders. The activity highlights a broader attacker tactic of hiding malicious workflows behind reputable cloud platforms that users and security tools often implicitly trust. For CISOs and security teams, the incident underscores the need to inspect links and redirects involving trusted SaaS domains, strengthen phishing-resistant authentication, and tune email and web defenses to detect abuse of legitimate services rather than relying solely on domain reputation.
May 27, 2026
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
Mar 21, 2026