Cybercriminals Abuse Google Cloud Email Feature In Multi-stage...
Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud's Application Integration service to distribute emails.
The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address ("noreply-application-integration@google[.]com") so that they can bypass traditional email security filters and have a better chance of landing in users' inboxes.
"The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients," the cybersecurity company said.
Attackers have been observed sending 9,394 phishing emails targeting approximately 3,200 customers over a 14-day period observed in December 2025, with the affected organizations located in the U.S., Asia-Pacific, Europe, Canada, and Latin America.
At the heart of the campaign is the abuse of Application Integration's "Send Email" task, which allows users to send custom email notifications from an integration. Google notes in its support documentation that only a maximum of 30 recipients can be added to the task.
The fact that these emails can be configured to be sent to any arbitrary email addresses demonstrates the threat actor's ability to misuse a legitimate automation capability to their advantage and send emails from Google-owned domains, effectively bypassing DMARC and SPF checks.
"To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language," Check Point said. "The lures commonly referenced voicemail messages or claims that the recipient had been granted access to a shared file or document, such as access to a 'Q4' file, prompting recipients to click embedded links and take immediate action."
The attack chain is a multi-stage redirection flow that commences when an email recipient clicks on a link hosted on storage.cloud.google[.]com, another trusted Google Cloud service. The effort is seen as another effort to lower user suspicion and give it a veneer of legitimacy.
The link then redirects the user to content served from googleusercontent[.]com, presenting them with a fake CAPTCHA or image-based verification that acts as a barrier by blocking automated scanners and security tools from scrutinizing the attack infrastruct
Source: The Hacker News
