Cybercriminals Exploit Google Cloud to Send Over 9,000 Phishing Emails Targeting Thousands of Organizations
WASHINGTON, D.C. — In a sophisticated cyberattack uncovered in late 2025, hackers exploited Google Cloud’s legitimate automation features to send more than 9,000 phishing emails to approximately 3,200 organizations worldwide. By leveraging Google Cloud Application Integration’s “Send Email” task, attackers were able to send emails from authentic Google-owned addresses, allowing their messages to evade traditional spam filters and security protocols such as SPF and DMARC.
The campaign, tracked by cybersecurity firm Check Point, targeted organizations across multiple sectors including manufacturing, technology, finance, professional services, retail, healthcare, education, government, energy, travel, and media. The phishing emails mimicked routine Google notifications—alerts about voicemails or shared documents—making them appear familiar and trustworthy to recipients. This familiarity lowered suspicion and increased the likelihood of interaction.
Once victims clicked the embedded links, they were redirected through Google’s trusted cloud infrastructure, starting with storage.cloud.google.com and then googleusercontent.com. These redirects added layers of perceived legitimacy. The final destination was a counterfeit Microsoft login page hosted on a non-Microsoft domain, designed to harvest user credentials. To evade automated detection, the attackers incorporated a fake CAPTCHA or image verification step, which blocked security scanners but allowed real users to proceed.
This attack highlights a growing trend where cybercriminals abuse trusted cloud services to bypass security defenses. The Cybersecurity and Infrastructure Security Agency has previously warned about the risks of supply chain and cloud-based attacks, emphasizing the need for organizations to implement multi-factor authentication and monitor for unusual login activity.
Google Cloud’s Application Integration service is widely used by enterprises to automate workflows and send notifications. However, the attackers’ exploitation of this legitimate feature underscores the challenges in securing cloud environments where trusted tools can be weaponized. The Federal Bureau of Investigation continues to investigate the incident and urges organizations to remain vigilant against phishing attempts, especially those that appear to come from trusted cloud platforms.
As cloud services become increasingly integral to business operations, this incident serves as a stark reminder that even trusted infrastructure can be manipulated by malicious actors. Organizations are encouraged to educate employees on identifying phishing tactics and to deploy advanced threat detection technologies to mitigate such risks.
Leave a Reply