This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients.

In this incident, attackers sent 9,394 phishing emails targeting approximately 3,200 customers over the past 14 days. All messages were sent from the legitimate Google address [email protected], which significantly increased their credibility and likelihood of reaching end users’ inboxes.

Method of attack

Based on the observed email characteristics and sender infrastructure, the campaign appears to leverage Google Cloud’s Application Integration Send Email task, a feature intended for legitimate workflow automation and system notifications. This functionality allows configured integrations to send emails to arbitrary recipients, which would explain how the attackers were able to distribute messages directly from Google-owned domains without compromising Google itself.

This behavior suggests a misuse of legitimate cloud automation capabilities to impersonate authentic Google notifications while bypassing traditional sender reputation and domain based detection controls.

To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language. The lures commonly referenced voicemail messages or claims that the recipient had been granted access to a shared file or document such as access to a “Q4” file, prompting recipients to click embedded links and take immediate action.

Link Redirection Technique (Visual Flow):

As illustrated in the attached diagram, the attack relies on a multi-stage redirection flow designed to lower user suspicion and delay detection:

  1. Initial click

The user clicks a button or link hosted on storage.cloud.google.com, a trusted Google Cloud service. Using a legitimate cloud-hosted URL at the first step helps establish trust and reduces the likelihood of the link being blocked or questioned.

  1. Validation and filtering stage

The link then redirects the user to content served from googleusercontent.com, where a fake CAPTCHA or image-based verification is presented. This step is intended to block automated scanners and security tools while allowing real users to proceed.

  1. Final destination: credential harvesting

After passing the validation stage, the user is redirected to a fake Microsoft login page hosted on a non-Microsoft domain. Any credentials entered at this stage are captured by the attacker, completing the phishing chain.

This layered redirection approach combines trusted cloud infrastructure, user interaction checks, and brand impersonation to maximize success while minimizing early detection.

 

Examples of a real phishing emails we caught:

Who was affected (last 14 days):
  • By industry:

Analysis shows the campaign primarily targeted manufacturing/industrial (19.6%), technology/SaaS (18.9%), and finance/banking /insurance (14.8%) organizations, followed by professional services/consulting (10.7%) and retail/consumer (9.1%). Smaller portions of the activity were observed across media/advertising (7.4%), education/research (6.2%), healthcare/life sciences (5.1%), energy/utilities (3.2%), government/public sector (2.5%), travel/hospitality (1.9%), and transportation/logistics (0.9%), with other/unknown (1.7%).

These sectors commonly rely on automated notifications, shared documents, and permission-based workflows, making Google-branded alerts especially convincing.

  • By region:

Affected organizations were primarily based in the United States (48.6%), followed by Asia-Pacific (20.7%) and Europe (19.8%). Additional impact was observed in Canada (4.1%), LATAM (3.0%), the Middle East (2.2%), and Africa (0.9%), with 0.7% of cases remaining unknown or unclassified.

Within LATAM, the activity was concentrated in Brazil (41%) and Mexico (26%), followed by Argentina (13%), Colombia (12%), and Chile (5%), with smaller shares across other countries.

This campaign highlights how attackers can misuse legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing. It reinforces the need for continued awareness, especially when emails include clickable links, even when the sender, domain, and infrastructure appear fully legitimate.

Google provided the following statement:

“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.”

You may also like