GTFire Phishing Scheme Uses Google Services to Evade Detection
Group-IB reported on a phishing operation tracked as GTFire that abuses trusted Google services to reduce suspicion and bypass security controls. The campaign uses legitimate Google infrastructure as part of its delivery or redirection chain, allowing phishing content and lures to blend in with normal enterprise traffic and making detection more difficult for defenders.
The activity highlights a broader attacker tactic of hiding malicious workflows behind reputable cloud platforms that users and security tools often implicitly trust. For CISOs and security teams, the incident underscores the need to inspect links and redirects involving trusted SaaS domains, strengthen phishing-resistant authentication, and tune email and web defenses to detect abuse of legitimate services rather than relying solely on domain reputation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
KnowBe4 ThreatLabs reports Google redirect phishing campaign
KnowBe4 ThreatLabs reported an active phishing campaign that chained legitimate Google services, including Google Meet, Google Search Redirect, and Google Ad Service, to conceal malicious destinations from email security tools. The campaign used lures such as fake FedEx, DocuSign, Microsoft 365 expiry, remittance, and QR-code emails, leading victims to credential theft pages or fake OneDrive device code phishing flows.
Group-IB publishes analysis of the GTFire phishing scheme
Group-IB published a blog post describing the GTFire phishing scheme and its use of Google services to avoid detection. No earlier discrete events are available from the provided reference content.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing campaigns abuse trusted platforms and authentication flows to evade detection and steal credentials
Multiple active phishing operations are leveraging *trusted services* and *by-design web/authentication features* to bypass security controls and harvest credentials and MFA data. **GTFire** is a large-scale credential-harvesting campaign that hides behind legitimate Google-owned domains by abusing **Firebase** and **Google Translate** to make phishing links appear trustworthy to email filters and web gateways; victims are sent to brand-impersonation login pages and then redirected to the real site after submitting credentials. Separately, Microsoft reported phishing that abuses **OAuth redirection** behavior in identity providers (including **Microsoft Entra ID** and **Google Workspace**) by registering malicious OAuth apps with attacker-controlled redirect URIs and using silent auth flows/invalid scopes to bounce users to attacker infrastructure; Microsoft disabled the identified malicious Entra OAuth applications but noted related activity continues and requires monitoring. A distinct but thematically similar campaign uses a fake Google Account security site to trick users into installing a **malicious Progressive Web App (PWA)** that can steal one-time passcodes (via **WebOTP** where supported), harvest data (e.g., clipboard contents), and even turn the victim’s browser into an attacker-controlled **proxy** with internal port-scanning capability; Malwarebytes-linked reporting highlighted the lure domain `google-prism[.]com` and the use of permission prompts (notifications/clipboard) to enable ongoing abuse. Other items in the set cover unrelated threats (Android malware using generative AI for persistence, an Iraq-focused APT toolchain, a separate AiTM phishing-kit attribution case study, and research on a cybercrime infrastructure provider), and do not describe the same specific phishing operations described above.
Mar 21, 2026
Phishing Campaign Abuses Google Cloud Application Integration to Impersonate Google Emails
Cybercriminals have launched a sophisticated phishing campaign that exploits Google Cloud's Application Integration service to send emails that closely mimic legitimate Google notifications. By leveraging the service's "Send Email" task, attackers are able to distribute messages from the trusted `noreply-application-integration@google.com` address, effectively bypassing traditional email security measures such as DMARC and SPF. The phishing emails are crafted to resemble routine enterprise communications, including voicemail alerts and file access requests, increasing the likelihood that recipients will trust and interact with them. Over a two-week period, nearly 9,400 phishing emails targeted approximately 3,200 organizations across the U.S., Asia-Pacific, Europe, Canada, and Latin America. The attack chain employs a multi-stage redirection process to evade detection and maximize credential theft. Initial links in the emails direct users to legitimate Google Cloud URLs (`storage.cloud.google.com`), followed by a redirection to `googleusercontent.com` where a fake CAPTCHA is presented to bypass automated scanners. The final stage leads victims to a counterfeit Microsoft login page hosted on a non-Microsoft domain, designed to harvest user credentials. This campaign demonstrates the increasing abuse of trusted cloud infrastructure for phishing, highlighting the need for organizations to scrutinize even seemingly authentic emails originating from reputable domains.
Mar 21, 2026
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Mar 21, 2026