Cybersecurity researchers have detailed a phishing campaign in which attackers exploited Google Cloud’s application integration services to distribute emails that masqueraded as legitimate messages generated by Google.
According to Check Point, this activity leverages the trust associated with Google Cloud infrastructure to send messages from a legitimate email address (‘noreply-application-integration@google’).[.]com”), it has a better chance of bypassing traditional email security filters and reaching users’ inboxes.
“This email mimics routine corporate notifications, such as voicemail alerts or requests to access files or permissions, and appears normal and trustworthy to the recipient,” the cybersecurity firm said.
During an observed 14-day period in December 2025, attackers were observed sending 9,394 phishing emails targeting approximately 3,200 customers, with affected organizations located in the United States, Asia Pacific, Europe, Canada, and Latin America.
At the heart of this campaign is the exploitation of the application integration’s “send email” task, which allows users to send custom email notifications from the integration. Google says in its support documentation that you can only add up to 30 recipients to a task.
The fact that these emails can be configured to be sent to any email address indicates that attackers can exploit legitimate automation to send emails from Google-owned domains, effectively bypassing DMARC and SPF checks.
“To further enhance authenticity, the email closely followed Google’s notification style and structure, including familiar format and language,” Check Point said. “These decoys typically refer to a voicemail message or claim that the recipient has permission to access shared files or documents (for example, accessing the ‘Q4’ file), prompting the recipient to take immediate action by clicking on the embedded link.”
The attack chain is a multi-step redirect flow that begins when an email recipient clicks a link hosted on storage.cloud.google.[.]com is also a trusted Google Cloud service. This effort is being seen as another effort to reduce user suspicion and provide a semblance of legitimacy.
This link redirects the user to content provided by googleusercontent.[.]com presents a fake CAPTCHA or image-based verification, blocking automated scanners and security tools from scrutinizing the attack infrastructure and acting as a barrier to allow real users through.
Once the verification phase is complete, the user is directed to a fake Microsoft login page hosted on a non-Microsoft domain, ultimately stealing the credentials entered by the victim.
In response to the findings, Google added that it will stop phishing attempts that exploit the email notification feature within Google Cloud Application Integration and will take further steps to prevent further abuse.
Check Point’s analysis reveals that the campaign primarily targets manufacturing, technology, finance, professional services, and retail industries, but also names other industries such as media, education, healthcare, energy, government, travel, and transportation.
“Google-branded alerts are particularly compelling because these areas typically rely on automated notifications, shared documents, and permission-based workflows,” it added. “This campaign highlights how attackers can exploit legitimate cloud automation and workflow capabilities to distribute phishing at scale without traditional spoofing.”
Source link
