Hackers abuse Google Cloud to send trusted phishing emails

Cybercriminals person recovered a clever caller mode to get phishing emails consecutive into inboxes.

Instead of spoofing brands, they are abusing existent unreality tools that radical already trust. Security researchers accidental attackers precocious hijacked a morganatic email diagnostic wrong Google Cloud. 

The effect was thousands of phishing messages that looked and felt similar mean Google notifications. Many slipped past spam filters with ease.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – erstwhile you articulation my CYBERGUY.COM newsletter.

How this Google Cloud phishing onslaught worked

At the halfway of the run was Google Cloud Application Integration. This work allows businesses to nonstop automated email notifications from workflows they build. Attackers exploited the Send Email task wrong that system. Because the messages came from a existent Google address, they appeared authentic to some users and information tools. 

According to Check Point, a planetary cybersecurity steadfast that tracks and analyzes large-scale menace campaigns, the emails were sent from a morganatic Google-owned code and intimately matched Google's notification style. Fonts, wording, and layout each looked familiar. Over a two-week play successful December 2025, attackers sent much than 9,000 phishing emails targeting astir 3,200 organizations crossed the U.S., Europe, Canada, Asia Pacific, and Latin America.

Attackers utilized trusted Google Cloud infrastructure to way victims done aggregate redirects earlier revealing the scam. (Thomas Fuller/SOPA Images/LightRocket via Getty Images)

MALICIOUS CHROME EXTENSIONS CAUGHT STEALING SENSITIVE DATA

Why Google phishing emails were truthful convincing

The messages looked similar regular workplace alerts. Some claimed you had received a voicemail. Others said you were granted entree to a shared document, similar a Q4 file. That consciousness of normalcy lowered suspicion. Many radical are utilized to seeing these nonstop messages each day. Even much concerning, the emails bypassed communal protections similar SPF and DMARC due to the fact that they were sent done Google-owned infrastructure. To email systems, thing looked fake.

What happens aft you click

The onslaught did not halt astatine the email. Once a unfortunate clicked the link, they were sent to a leafage hosted connected storage.cloud.google.com. That added different furniture of trust. From there, the nexus redirected again to googleusercontent.com. Next came a fake CAPTCHA oregon representation check. This measurement blocked automated information scanners portion letting existent users continue. After passing that screen, victims landed connected a fake Microsoft login leafage hosted connected a non-Microsoft domain. Any credentials entered determination were captured by the attackers.

Who was targeted successful the Google Cloud phishing attack

Check Point says the run focused heavy connected industries that trust connected automated alerts and shared documents. That included manufacturing, technology, finance, nonrecreational services, and retail. Other sectors similar healthcare, education, government, energy, question and media were besides targeted. These environments spot changeless support requests and file-sharing notices, which made the lures consciousness routine.

"We person blocked respective phishing campaigns involving the misuse of an email notification diagnostic wrong Google Cloud Application Integration," a Google spokesperson told Cyberguy. "Importantly, this enactment stemmed from the maltreatment of a workflow automation tool, not a compromise of Google’s infrastructure. While we person implemented protections to support users against this circumstantial attack, we promote continued caution arsenic malicious actors often effort to spoof trusted brands. We are taking further steps to forestall further misuse."

The incidental demonstrates however attackers tin weaponize morganatic unreality automation tools without resorting to accepted spoofing.

Ways to enactment harmless from trusted-looking phishing emails

Phishing emails are getting harder to spot, particularly erstwhile attackers maltreatment existent unreality platforms similar Google Cloud. These steps assistance trim hazard erstwhile emails look acquainted and legitimate.

1) Slow down earlier acting connected alerts

Attackers trust connected urgency. Messages astir voicemails, shared files oregon support changes are designed to marque you click fast. Pause earlier taking action. Ask yourself whether you were really expecting that alert. If not, verify it different way.

2) Inspect links earlier you click

Always hover implicit links to preview the destination domain. In this campaign, links jumped crossed aggregate trusted-looking Google domains earlier landing connected a fake login page. If the last destination does not lucifer the work asking you to motion in, adjacent the leafage immediately.

3) Treat record entree and support emails with caution

Shared papers alerts are a favourite lure due to the fact that they consciousness regular astatine work. If an email claims you were granted entree to a record you bash not recognize, bash not click straight from the message. Instead, unfastened your browser and motion successful to Google Drive oregon OneDrive manually to cheque for caller files.

The last measurement led users to a fake Microsoft login page, wherever entered credentials were silently stolen. (Stack Social)

4) Use a password manager to drawback fake login pages

Password managers tin beryllium a beardown past enactment of defense. They volition not autofill credentials connected fake Microsoft oregon Google login pages hosted connected non-official domains. If your password manager refuses to capable successful a login, that is simply a reddish emblem worthy paying attraction to.

Next, spot if your email has been exposed successful past breaches. Our #1 password manager (see Cyberguy.com/Passwords) prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2025 astatine Cyberguy.com.

NEW GOOGLE AI MAKES ROBOTS SMARTER WITHOUT THE CLOUD

5) Run beardown antivirus bundle with phishing protection

Modern antivirus tools bash much than scan files. Many present observe malicious links, fake CAPTCHA pages, and credential harvesting sites successful existent time. Strong antivirus bundle tin artifact phishing pages adjacent aft a click, which matters successful multi-stage attacks similar this one.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android & iOS devices astatine Cyberguy.com.

6) Reduce your vulnerability with a information removal service

Phishing campaigns often win due to the fact that attackers already cognize your email, leader oregon role. That accusation is commonly pulled from information broker sites. A information removal work helps region your idiosyncratic accusation from these databases, making it harder for attackers to trade convincing, targeted emails.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

7) Enable two-factor authentication (2FA) everywhere

Even if attackers bargain your password, two-factor authentication (2FA) tin halt them from accessing your account. Use app-based authentication oregon hardware keys erstwhile possible, particularly for enactment email, unreality storage, and Microsoft accounts.

8) Report suspicious emails immediately

If thing feels off, study it. Flag suspicious Google oregon Microsoft alerts to your IT oregon information squad truthful they tin pass others. Early reporting tin halt a phishing run earlier it spreads further wrong an organization.

Google phishing emails looked similar regular workplace alerts. (Kurt "CyberGuy" Knutsson)

Kurt's cardinal takeaways

This run highlights a increasing displacement successful phishing tactics. Attackers nary longer request to fake brands erstwhile they tin maltreatment trusted unreality services directly. As automation becomes much common, information consciousness matters much than ever. Even acquainted emails merit a 2nd look, particularly erstwhile they propulsion urgency oregon inquire for credentials.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

If a phishing email comes from a existent Google address, however assured are you that you would spot it earlier clicking? Let america cognize by penning to america astatine Cyberguy.com.

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.