Introduction

Cybersecurity researchers have uncovered a highly sophisticated phishing operation that abuses legitimate cloud automation features within Google Cloud to distribute large-scale phishing emails. By leveraging trusted Google-owned infrastructure, threat actors were able to evade traditional email security controls and deliver convincing lures directly to user inboxes.

Background and Context

According to findings disclosed by Check Point, the campaign abused Google Cloud Application Integration to send phishing emails that appeared indistinguishable from genuine Google-generated notifications. The messages originated from a legitimate Google address, noreply-application-integration@google.com, significantly increasing their credibility and delivery success.

Over a 14-day observation period in December 2025, researchers recorded 9,394 phishing emails sent to approximately 3,200 targeted users across the United States, Europe, Asia-Pacific, Canada, and Latin America.

Technical Details of the Attack

At the core of the operation was the misuse of the Application Integration “Send Email” task, a feature designed to allow organizations to send automated notifications. Although the service limits each task to 30 recipients, attackers repeatedly abused the functionality to scale the campaign.

Because the emails were sent from Google-owned domains, they effectively bypassed SPF and DMARC checks, allowing them to slip past many secure email gateways. The phishing messages closely mirrored standard Google alert formats, commonly referencing voicemail notifications or shared document access requests such as Q4 files.

Multi-Stage Attack Chain

The phishing workflow relied on a carefully orchestrated redirection sequence:

• Victims clicked links hosted on storage.cloud.google.com, a legitimate Google Cloud service.
• Users were then redirected to googleusercontent.com, where a fake CAPTCHA or image-based verification was displayed. This step filtered out automated scanners while allowing real users to proceed.
• After validation, victims were redirected to a counterfeit Microsoft login page hosted on a non-Microsoft domain, designed to harvest credentials.

This layered approach leveraged trusted cloud platforms at every step, reducing user suspicion and complicating detection.

Update: Expanded Scope and OAuth Abuse

Further analysis by xorlab and Ravenmail revealed additional capabilities within the campaign. Beyond credential harvesting, attackers were observed conducting OAuth consent phishing, tricking victims into granting a malicious Azure AD application persistent access to cloud resources.

In some cases, fake login pages were hosted on Amazon Web Services S3 buckets. Once consent was granted, attackers gained delegated access to Azure subscriptions, virtual machines, storage, and databases, with persistence maintained through access and refresh tokens.

Impact and Targeted Sectors

The campaign primarily targeted manufacturing, technology, financial services, professional services, and retail organizations. However, additional sectors including healthcare, education, media, energy, government, travel, and transportation were also affected.

These industries commonly rely on automated notifications and shared cloud workflows, making Google-branded alerts particularly effective as social engineering lures.

Response and Mitigation

Google confirmed that it has blocked the abusive activity associated with the Application Integration email feature and stated that additional safeguards are being implemented to prevent similar misuse in the future.

Security teams are advised to reinforce user awareness training, closely monitor OAuth consent activity, and apply conditional access controls to reduce the risk of credential compromise.

Expert Commentary

This campaign demonstrates a growing trend where attackers weaponize legitimate cloud automation and trusted infrastructure rather than relying on traditional spoofing techniques. By chaining together services from Google, Microsoft, and AWS, adversaries create resilient phishing paths that are difficult to disrupt at a single control point.

Outlook

As cloud adoption continues to accelerate, defenders must anticipate further abuse of native automation and notification features. Continuous monitoring, zero-trust access policies, and improved visibility into third-party app permissions will be critical to countering next-generation phishing threats.