Cybersecurity experts discovered a new type of phishing attack using the Google Cloud's Application Integration service to send email from a legitimate-looking Google email address: [email protected].
By using the trust that people have in Google Cloud's Infrastructure to circumvent traditional email security, the phishing campaign sent almost 9,000 phishing emails to about 3,200 different targeted organizations across the globe over a two-week period in December 2025.
How it works
The messages sent out by the attackers look like regular work-related emails from companies – for example, messages notifying employees/contractors that they have received/transmitted voice mails or requesting file access. When someone clicks on one of the links embedded in the email, they are taken to the Google Cloud and Google user storage through cloud.google.com and usercontent.com and end up on fake Microsoft sign-in pages hosted on non-Microsoft domains, where attackers captured the user credentials.
This multi-stage chain allows for CAPTCHA-like verifications that are not easily detectable by automated scanners or other security tools, thus ensuring that only human users get through.
Industries targeted
The attackers mainly focused their phishing campaign on the following industries:
1. Manufacturing and Technology
2. Finance and Professional Services
3. Retail
Other sectors that were also affected include media, education, health care, energy, government, travel and transportation.
Recommendations for mitigation
Companies should educate their employees and contractors on phishing-related risks;
1. Implement Multi-Factor Authentication (MFA) for systems where user account access is granted; and
2. Monitor for abnormal login attempts and verify any link before clicking on it, even if it is an established trusted domain.
"This campaign demonstrates how attackers can misuse legitimate cloud automation features to distribute phishing at scale without traditional spoofing," Check Point said.
Source: The Hacker News
