Hackers Abuse Google Cloud Service to Send Highly Convincing Phishing Emails

Cybersecurity researchers have uncovered a large-scale phishing campaign in which attackers abused Google Cloud’s Application Integration service to send emails that appear to be legitimate, Google-generated notifications.

According to Check Point, the attackers leveraged the “Send Email” feature within Application Integration to distribute phishing messages from a trusted Google address, noreply-application-integration@google.com. Because the emails originated from Google-owned infrastructure, they were able to bypass traditional email security mechanisms such as DMARC and SPF, significantly increasing their chances of reaching users’ inboxes.

The messages closely mimicked routine enterprise alerts, including voicemail notifications and shared file access requests, and followed Google’s familiar formatting and language. During a 14-day period in December 2025, researchers observed 9,394 phishing emails sent to roughly 3,200 targets across the United States, Europe, Asia-Pacific, Canada, and Latin America.

The Best VPNs for 2026 (Ranking)

The attack chain involved multiple redirection stages. Victims who clicked the embedded links were first directed to URLs hosted on storage.cloud.google.com, then forwarded to googleusercontent.com, where fake CAPTCHA or image-based verification screens were used to evade automated security scanners. After passing this step, users were ultimately redirected to a counterfeit Microsoft login page hosted on a non-Microsoft domain, where credentials were harvested.

Check Point noted that the campaign primarily targeted manufacturing, technology, financial services, professional services, and retail organizations, while also affecting sectors such as healthcare, education, energy, government, and transportation.

Google has since blocked the misuse of the Application Integration email feature and stated it is implementing additional safeguards to prevent similar abuse. The incident highlights how legitimate cloud automation tools can be weaponized for phishing at scale without traditional email spoofing techniques.