Cybersecurity researchers have uncovered a phishing campaign that exploits Google Cloud’s Application Integration service to send emails impersonating legitimate Google notifications.
According to Check Point, attackers leverage the trust associated with Google’s infrastructure by sending messages from a genuine Google email address (noreply-application-integration@google[.]com). This tactic allows the emails to bypass traditional security filters and reach users’ inboxes.
The phishing emails mimic routine enterprise alerts—such as voicemail notifications or file-sharing requests—making them appear authentic and trustworthy. During a 14-day observation period in December 2025, researchers recorded 9,394 phishing emails targeting roughly 3,200 customers across the U.S., Europe, Asia-Pacific, Canada, and Latin America. At the core of the campaign is the abuse of Application Integration’s “Send Email” task, which enables custom email notifications from integrations. Although Google’s documentation limits this feature to 30 recipients per task, attackers configured it to send messages to arbitrary addresses, effectively bypassing DMARC and SPF checks by using Google-owned domains. To enhance credibility, the emails closely replicate Google’s notification style and language. Common lures include references to voicemail messages or claims that recipients have been granted access to shared files—such as a “Q4” document—prompting users to click embedded links.
Attack Chain
- Initial Click: Victims click a link hosted on storage.cloud.google[.]com, a trusted Google Cloud service.
- Redirection: The link forwards users to content on googleusercontent[.]com, where they encounter a fake CAPTCHA or image-based verification. This step blocks automated scanners while allowing real users to proceed.
- Credential Theft: After verification, victims land on a fake Microsoft login page hosted on a non-Microsoft domain, where attackers steal entered credentials.
Response and Impact
Google has since blocked abuse of the email notification feature and is implementing additional safeguards. Check Point reports that the campaign primarily targeted manufacturing, technology, finance, professional services, and retail, but also affected sectors like media, education, healthcare, energy, government, travel, and transportation. “These industries rely heavily on automated notifications and permission-based workflows, making Google-branded alerts highly convincing,” Check Point noted. The campaign demonstrates how attackers can weaponize legitimate cloud automation features to scale phishing without traditional spoofing.
Update: OAuth Consent Phishing
Further analysis by xorlab and Ravenmail reveals that attackers also use OAuth consent phishing, hosting fake login pages on AWS S3 buckets. Victims are tricked into granting a malicious Azure AD application access to their cloud resources, enabling attackers to control Azure subscriptions, VMs, storage, and databases via persistent delegated permissions. “Each stage of the attack leverages trusted infrastructure—Google, Microsoft, AWS—making detection and blocking extremely difficult,” xorlab said. Ultimately, victims are funneled to a Microsoft 365 login page, confirming that M365 credentials are the attackers’ primary target.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
