Cybercriminals are leveraging a legitimate Google Cloud feature, Application Integration, to launch multi-stage phishing campaigns. By impersonating trusted Google notifications, attackers are successfully bypassing traditional email security filters and reaching thousands of users across various industries globally. This tactic exploits the inherent trust users place in Google's infrastructure to trick them into compromising sensitive information.

Key Takeaways

• Attackers are using Google Cloud's "Send Email" task within Application Integration to distribute phishing emails.

• These emails mimic legitimate enterprise notifications, such as voicemail alerts or file access requests, to appear trustworthy.

• The campaign bypasses DMARC and SPF checks by originating from legitimate Google-owned domains.

• A multi-stage redirection flow leads victims to fake login pages, primarily targeting Microsoft 365 credentials.

• Google has taken action to block these specific phishing efforts and is implementing further preventative measures.

The Attack Mechanism

Researchers have uncovered a sophisticated phishing campaign where threat actors are abusing Google Cloud's Application Integration service. This service allows users to send custom email notifications from an integration. Attackers exploit this by sending emails from a legitimate Google address, "noreply-application-integration@google[.]com." This strategy is highly effective as it allows the malicious emails to bypass standard email security gateways and land directly in users' inboxes.

The emails are designed to look like routine enterprise notifications, such as voicemail alerts or requests for file access or permissions. This familiar appearance, combined with Google's trusted domain, significantly lowers the suspicion of recipients. During a two-week period in December 2025, approximately 9,394 phishing emails were sent to around 3,200 customers across the U.S., Asia-Pacific, Europe, Canada, and Latin America.

Multi-Stage Redirection and Credential Harvesting

The attack chain involves a multi-stage redirection process. It begins when a recipient clicks a link within the phishing email. This link is initially hosted on , another trusted Google Cloud service, further enhancing the illusion of legitimacy. The user is then redirected to content served from .

Here, a fake CAPTCHA or image-based verification is presented. This serves as a barrier to automated scanners and security tools, while allowing human users to proceed. Once this validation is complete, the victim is presented with a fake Microsoft login page, hosted on a non-Microsoft domain. Any credentials entered on this fraudulent page are then harvested by the attackers.

Targeted Sectors and Evolving Tactics

The campaign has primarily targeted sectors that frequently rely on automated notifications and shared document workflows, including manufacturing, technology, financial services, professional services, and retail. However, other industries like media, education, healthcare, and government have also been affected.

Further analysis by other security firms has revealed that these attacks are also employing OAuth consent phishing. In some instances, attackers are hosting fake login pages on Amazon Web Services (AWS) S3 buckets and tricking victims into granting malicious Azure AD applications access to their cloud resources. This allows attackers to gain persistent access to Azure subscriptions, virtual machines, storage, and databases through delegated permissions. The use of multiple trusted infrastructures—Google, Microsoft, and AWS—makes these attacks exceptionally difficult to detect and block at any single point.

As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign, The Hacker News.