Trusted Cloud Tools Fuel New Phishing Wave

Cybercriminals have discovered an effective way to bypass spam filters by abusing trusted cloud services rather than spoofing brands. A recent campaign exploited a legitimate email feature within Google Cloud, enabling attackers to deliver thousands of phishing messages that closely resembled authentic Google notifications.

At the center of the attack was Google Cloud Application Integration, a service enterprises use to automate workflows and send system-generated emails. Threat actors misused its Send Email capability, allowing phishing messages to originate from a real, Google-owned address. According to Check Point, this legitimacy helped emails evade security filters and land directly in user inboxes. Over a two-week period in December 2025, more than 9,000 emails targeted roughly 3,200 organizations across North America, Europe, Asia-Pacific, and Latin America.

The campaign relied on a multi-stage deception chain. Victims were first routed to pages hosted on storage.cloud.google.com, then redirected via googleusercontent.com, reinforcing trust at each step. A fake CAPTCHA blocked automated scanners while letting human users proceed. The final stop was a convincing fake Microsoft login page, where credentials were harvested.

Industries dependent on automated alerts—manufacturing, technology, finance, retail, and professional services—were prime targets, along with healthcare, education, government, and energy. The attack underscores a critical shift: platform trust itself has become the attack surface, demanding stronger verification and phishing-resistant authentication across cloud ecosystems.