Attackers exploit trusted Google Cloud workflows to deliver convincing phishing emails at scale, targeting enterprises worldwide
A newly uncovered phishing campaign has raised fresh alarms across the cybersecurity community after attackers successfully abused legitimate Google Cloud automation features to send thousands of malicious emails that appeared to come directly from Google itself.
According to Check Point Research, the campaign leveraged Google Cloud Application Integration, a workflow automation service designed for legitimate system notifications, to distribute phishing emails from a real Google-owned address:
noreply-application-integration@google.com.
Over a two-week period, attackers sent 9,394 phishing emails, targeting approximately 3,200 organizations worldwide. Because the messages originated from trusted Google infrastructure, they bypassed many traditional email security controls, landing directly in users’ inboxes and significantly increasing the likelihood of interaction.
This incident underscores a growing reality in modern cybersecurity: attackers no longer need to spoof domains or compromise infrastructure when they can misuse trusted cloud services themselves.
How the attack worked
Investigators found that the attackers did not breach Google’s systems. Instead, they abused built-in automation capabilities meant for sending legitimate enterprise notifications.
The phishing emails were carefully crafted to look like routine Google alerts, including:
- Voicemail notifications
- File access or permission requests
- Shared document updates referencing urgent or familiar terms such as “Q4 files”
These are exactly the types of messages employees are trained not to question, especially when they come from a legitimate Google address.
The multi-stage redirection chain
What made this campaign particularly effective was its layered redirection strategy:
- Trusted first click
Victims clicked links hosted on storage.cloud.google.com, a legitimate Google Cloud service. This immediately reduced suspicion and avoided URL-based blocking. - Validation and evasion stage
Users were redirected to googleusercontent.com, where a fake CAPTCHA or image-based verification appeared. This step filtered out automated scanners and sandbox tools. - Credential harvesting
Finally, victims landed on a fake Microsoft login page hosted on a non-Microsoft domain. Any credentials entered were captured by the attackers.
This chain combined trusted cloud infrastructure, user interaction checks, and brand impersonation, a textbook example of modern phishing tradecraft.
Who was affected
By industry
The campaign disproportionately targeted sectors that rely heavily on automated notifications and document sharing:
- Manufacturing & Industrial: 19.6%
- Technology & SaaS: 18.9%
- Finance, Banking & Insurance: 14.8%
- Professional Services & Consulting: 10.7%
- Retail & Consumer: 9.1%
Smaller but notable impacts were also seen across education, healthcare, energy, government, and transportation.
By region
While the campaign was global in nature, the highest concentration of victims was in:
- United States: 48.6%
- Asia-Pacific: 20.7%
- Europe: 19.8%
The Middle East (2.2%) and Africa (0.9%) were also affected, a reminder that no region is immune, particularly as cloud adoption accelerates across MEA enterprises and governments.
Why this attack is a turning point
This campaign highlights a critical shift: trust itself is being weaponized.
Email security tools have long relied on sender reputation, domain trust, and cloud-provider allowlists. By abusing legitimate Google Cloud workflows, attackers effectively turned these trust models against defenders.
For organizations investing heavily in cloud-first strategies, this raises urgent questions about:
- Visibility into cloud-native abuse
- Monitoring of outbound automation workflows
- User awareness when “everything looks legitimate”
Security leaders and consultants across the region – including teams working with Saintynet Cybersecurity – are increasingly warning that phishing defense must evolve beyond simple indicators of compromise.
What Google says
In response, Google confirmed it has taken action:
“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands.”
What security teams should do now: 10 key actions
- Treat cloud-generated emails with caution
Trusted infrastructure does not equal trusted intent. - Strengthen phishing awareness training
Focus on context-based decision-making, not just sender checks. (See training resources) - Inspect link chains, not just first URLs
Many attacks now hide the malicious payload behind trusted redirects. - Harden identity protections
Enforce MFA everywhere, especially for Microsoft and Google accounts. - Monitor cloud automation usage
Track and audit outbound notification workflows in cloud platforms. - Deploy behavioral email detection
Look for anomalies in email content and user interaction patterns. - Block fake CAPTCHA and verification pages
These are increasingly used to evade automated scanners. - Enable conditional access policies
Restrict logins based on device posture, geography, and risk signals. - Simulate real-world phishing scenarios
Test employees with realistic Google- and Microsoft-themed lures. - Partner with experienced cybersecurity advisors
Engage specialists such as Saintynet Cybersecurity to assess cloud and email attack surfaces end-to-end.
MEA perspective (optional but relevant)
As organizations across the Middle East and Africa accelerate digital transformation and cloud adoption, attacks like this are especially concerning. Government entities, financial institutions, and fast-growing tech firms in the region rely heavily on Google Workspace and Microsoft 365, making brand-impersonation phishing a high-impact threat.
Previous awareness pieces on cloud-driven phishing trends are available on Cybercory, where similar attacks have been tracked across MEA markets.
Conclusion
This phishing campaign is a stark reminder that trust is no longer a reliable security signal. When attackers can exploit legitimate cloud services to deliver malware and steal credentials, organizations must rethink how they validate emails, links, and workflows.
The lesson is clear:
Security teams must assume that even “trusted” notifications can be weaponized, and prepare users, controls, and processes accordingly.
