Yet another phishing campaign impersonates trusted Google services - here's what we know
Date:
Mon, 29 Dec 2025 17:40:00 +0000
Description:
Google Cloud Application Integration is being abused to generate phishing emails leading victims to fake Microsoft login sites.
FULL STORY ======================================================================Attacker s abused Google Cloud Application Integration to send phishing emails from legitimate Google domains Emails mimicked Google notifications, redirecting victims through trusted services Nearly 3,200 businesses targeted; most victims in U.S. manufacturing, tech, and finance sectors
Legitimate Google services are, once again, being abused in phishing attacks, successfully tricking targets into clicking malicious links and giving away their login credentials.
In a newly released report, cybersecurity researchers from Check Point said theyve seen almost 10,000 emails, being sent to roughly 3,200 businesses in a span of two weeks.
All of the messages were sent from the email account
noreply-application-integration@google.com, meaning the attackers were
abusing Google Cloud Application Integration. Targeting manufacturing in the US
This is a managed Google Cloud service that connects applications, APIs, and data sources without needing to write custom code. It lets organizations automate workflows between cloud services, SaaS apps, and internal systems using prebuilt connectors, triggers, and actions. Emails generated through Google Cloud Application Integration often originate from Google-owned infrastructure and domains, meaning theyre sent as part of an automated workflow and can inherit Googles strong sender reputation.
In phishing campaigns, threat actors can create or compromise a Google Cloud project and configure an integration workflow that sends emails via Gmail
APIs or other connected email services. In other words, this is simple abuse
- not a breach in Googles infrastructure.
To make the emails seem even more plausible, the attackers made sure the messages closely followed Googles notification style, language, and formatting. The most common lures include pending voicemail messages, or notifications about being shared a document.
The link shared in these emails leads to storage.google.cloud.com which is a trusted Google Cloud service. However, it then redirects to googleusercontent.com, where they need to pass a fake CAPTCHA built to block security scanners. Finally, the victims are redirected to a fake Microsoft login page, where they can be tricked into giving away their login credentials.
The majority of the victims were in the United States (48.6%), working in manufacturing/industrial (19.6%), technology/SaaS (18.9%), and finance/banking/insurance (14.8%).
Google told Check Point several phishing campaigns abusing Google Cloud Application Integration were already blocked.
Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Googles infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse, Google concluded.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/yet-another-phishing-campaign-impersona tes-trusted-google-services-heres-what-we-know
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)