top of page
Search

Phishing Campaign Abuses Google Cloud to Impersonate Google Emails

  • Jan 2
  • 2 min read

Key Findings


  • Cybersecurity researchers have uncovered a phishing campaign that abuses Google Cloud Application Integration to send emails impersonating legitimate Google messages.

  • The campaign used layered redirection, trusted cloud services, user validation checks, and brand impersonation to evade detection and increase phishing success.

  • Over a two-week period, the researchers observed nearly 9,400 phishing emails targeting approximately 3,200 customers across various industries.

  • The messages were sent from the legitimate Google address `noreply-application-integration@google.com`, increasing the likelihood of reaching end users' inboxes.


Background


The phishing campaign abused Google Cloud's Application Integration "Send Email" feature, a legitimate automation tool, to send emails from Google-owned domains without compromising Google itself. By misusing trusted cloud infrastructure, attackers bypassed sender reputation and domain-based defenses while impersonating authentic Google notifications.


Attack Methodology


  • The attack used a multi-stage redirection chain:

  • Links first pointed to `storage.cloud.google.com`, a legitimate Google Cloud URL, to build trust and avoid detection.

  • The link then redirected to `googleusercontent.com`, showing a fake CAPTCHA to evade automated scanners while letting real users continue.

  • Finally, users were sent to a counterfeit Microsoft login page on a non-Microsoft domain, where entered credentials were stolen.


Targeted Sectors


  • The campaign primarily targeted manufacturing and industrial firms, followed by technology/SaaS and finance organizations.

  • Professional services, retail, media, education, healthcare, energy, government, and other sectors were also affected, with varying degrees of impact.

  • Most victims were based in the United States, with significant activity in Asia-Pacific and Europe, and smaller shares in Canada, Latin America, the Middle East, and Africa.


Google's Response


In response to the findings, Google has blocked several phishing campaigns involving the misuse of the email notification feature within Google Cloud Application Integration. The company stated that it is taking additional steps to prevent further misuse of its services.


Sources


  • https://securityaffairs.com/186425/cyber-crime/phishing-campaign-abuses-google-cloud-application-to-impersonate-legitimate-google-emails.html

  • https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

  • https://www.techradar.com/pro/security/yet-another-phishing-campaign-impersonates-trusted-google-services-heres-what-we-know

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page