A new phishing campaign is making the rounds globally, and it’s particularly dangerous because it hides in plain sight. By abusing legitimate Google Cloud services, attackers are sending highly convincing emails that slip past spam filters and guide victims – step by step – toward fake Microsoft 365 login pages designed to steal credentials.
The campaign, uncovered by researchers and detailed by Malwarebytes, highlights a growing trend in modern phishing: attackers no longer rely on poorly written emails or suspicious domains. Instead, they weaponize trusted cloud platforms, turning reputation and legitimacy into an attack vector.
According to the analysis published by Malwarebytes, the phishing emails are sent using Google Cloud Application Integration’s “Send Email” feature, originating from a legitimate Google address:
noreply-application-integration@google[.]com. The emails appear authentic, reference everyday workplace scenarios, and are convincing enough to fool both automated security tools and human recipients.
How the attack works
The attack chain is deliberately layered to build trust at every step.
It starts with a routine-looking email, often claiming a new voicemail, a shared document, or a task requiring action. The embedded link points to a genuine Google Cloud Storage URL, which means the domain looks clean and trustworthy at first glance.
After clicking the link, victims are redirected again, this time through a Google-owned domain (googleusercontent[.]com), where they are presented with a CAPTCHA or image verification. This step further reinforces the illusion of legitimacy.
Only after passing these “trusted” checkpoints does the victim land on a look-alike Microsoft 365 sign-in page. While the page looks familiar, the URL is not an official Microsoft domain. Any username and password entered here are silently harvested by the attackers.
This technique does not exploit a vulnerability in Google’s infrastructure. Instead, it abuses legitimate cloud features, something that makes detection and prevention significantly harder.
Why this matters
Phishing has evolved. Campaigns like this demonstrate that attackers are now designing operations specifically to bypass technical controls and exploit user trust in well-known brands like Google and Microsoft.
For organizations that rely heavily on Microsoft 365 for email, collaboration, and cloud productivity, stolen credentials can lead to:
- Business email compromise (BEC)
- Unauthorized access to sensitive data
- Internal phishing from compromised accounts
- Lateral movement across cloud services
From a broader industry perspective, this reinforces the need for stronger identity protection, better user awareness, and continuous monitoring, areas where professional cybersecurity services from providers such as Saintynet Cybersecurity play a critical role.
Google’s response
Google confirmed that it has taken action to disrupt the campaign. In a statement, the company said it blocked multiple phishing attempts involving the misuse of Google Cloud Application Integration and emphasized that the activity was abuse of a workflow automation tool, not a breach of Google systems.
Google also stated it has implemented additional protections and continues to monitor for similar misuse, while warning users to remain cautious as attackers frequently impersonate trusted brands.
A familiar pattern in modern phishing
This is not an isolated case. Similar campaigns in recent years have abused trusted workflows and notification systems from platforms such as PayPal, DocuSign, and other cloud-based service providers. The goal is always the same: borrow trust from reputable brands to make phishing emails harder to spot.
For security leaders, this trend underscores why technical controls alone are no longer enough. Human awareness and process maturity are just as important as tools.
For deeper insight into evolving phishing and cloud-based threats, readers can explore related coverage on cybercory.com, which regularly tracks real-world attack techniques and industry responses.
What organizations and users should do next
Security teams and end users can reduce their exposure by taking the following actions:
- Always check the full URL of any login page before entering credentials. If it is not a genuine Microsoft domain, do not proceed.
- Use a password manager, which will refuse to auto-fill credentials on fake or mismatched domains.
- Treat “urgent” emails about voicemails, document access, or permissions with caution, even when they appear to come from Google or Microsoft.
- Access Microsoft 365 services directly through bookmarks or official apps instead of clicking email links.
- Enforce multi-factor authentication (MFA) across all user accounts to limit the impact of stolen passwords.
- Regularly review OAuth apps and third-party integrations connected to Microsoft 365 and remove anything suspicious.
- Implement conditional access policies to restrict logins based on location, device, or risk level.
- Monitor for unusual login activity, especially successful logins from new geographies or devices.
- Run regular phishing simulations and awareness programs to keep employees alert, structured training and awareness programs such as those offered can significantly reduce click rates.
- Establish clear incident response procedures so users know how to report suspected phishing immediately.
MEA perspective (optional but relevant)
Organizations across the Middle East and Africa are rapidly accelerating cloud adoption and Microsoft 365 usage. As digital transformation grows across government, finance, energy, and telecom sectors, cloud-based phishing campaigns like this one represent a direct risk to regional digital resilience.
For MEA enterprises, investing in identity security, user awareness, and managed cybersecurity services is no longer optional, it is foundational.
Conclusion
This latest phishing campaign is a reminder that trust is now one of the most valuable assets attackers can exploit. By abusing legitimate Google Cloud services, cybercriminals have once again shown how easily familiar platforms can be turned into delivery mechanisms for credential theft.
The takeaway is clear: verifying links, strengthening identity controls, and educating users remain the most effective defenses. As attackers continue to evolve, so must the strategies used to stop them, before a single stolen password turns into a full-scale breach.
