Cybercriminals abuse Google Cloud feature to execute highly convincing phishing campaign

Cybercriminals abuse Google Cloud feature to execute highly convincing phishing campaign

Check Point uncovers multi-stage attack using application iIntegration service to send emails from trusted Google address.

Cybersecurity firm Check Point has uncovered details of a highly convincing and sophisticated phishing campaign that leverages a legitimate workflow feature within Google Cloud to bypass traditional email security filters and impersonate genuine Google notifications.

The attack, which sent nearly 9,400 phishing emails targeting approximately 3,200 organisations across manufacturing, technology, and finance sectors in December 2025, exploits the trust associated with Google's infrastructure.

The abuse of application integration

The core of the attack lies in the abuse of Google Cloud's Application Integration service, a tool meant for workflow automation and system notifications.

The attackers utilised the service’s "Send Email" task to configure custom notifications that were sent from a legitimate Google-owned address:

noreply-application-integration@google[.]com.

Because the emails originated from an authentic Google domain and infrastructure, they successfully bypassed crucial email authentication checks like DMARC and SPF, which security systems rely on to spot spoofed messages.

The lure

The phishing emails were meticulously crafted to mimic routine enterprise alerts, such as voicemail notifications or urgent file access or permission requests for documents named things like "Q4." This close adherence to Google's style and language made them appear highly trustworthy.

The multi-stage credential harvesting chain

The campaign relied on a multi-layered redirection flow designed to lower user suspicion and evade automated scanners:

• Trusted initial click: The link embedded in the phishing email was hosted on another trusted Google Cloud service, storage.cloud.google[.]com. Using a legitimate Google URL as the first stop significantly reduces the chance of detection by URL reputation filters.

• Bot blocker: The user was then redirected to content served from googleusercontent[.]com, where they were presented with a fake CAPTCHA or image-based verification. This barrier's sole purpose was to block automated security scanners from analyzing the final malicious destination.

• Final harvest: Once the user completed the fake validation, they were taken to a counterfeit Microsoft login page hosted on a non-Microsoft domain, where any entered credentials were stolen.

Google acknowledged the findings and has since taken steps to block the phishing efforts that abuse the email notification feature. The company also noted that the activity stemmed from misuse of a workflow tool, not a compromise of Google's core infrastructure.