Google Cloud Feature Weaponized in 9,000-Email Phishing Wave

Attackers are exploiting a legitimate Google Cloud feature to send phishing emails that sail through email security gateways undetected. Because the messages originate from Google's own infrastructure, they pass SPF, DKIM, and DMARC authentication checks—the very protocols designed to prevent email spoofing.

Check Point researchers observed 9,394 phishing emails targeting approximately 3,200 organizations over a 14-day period in December 2025. The campaign abused Google Cloud's Application Integration service, a workflow automation tool that includes email-sending capabilities.

How the Attack Works

The attackers configured Application Integration workflows to send emails from [email protected]. This address is legitimately owned by Google, so the emails carry valid cryptographic signatures and pass every standard email authentication check.

Recipients see messages that appear to come directly from Google—because technically, they do.

The emails impersonate routine enterprise notifications: voicemail alerts, file sharing requests, permission changes. Nothing unusual enough to trigger suspicion. When users click through, they land on a genuine Google Cloud storage page (storage.cloud.google.com), which adds another layer of perceived legitimacy.

From there, a redirect sends victims to a second Google-hosted page showing a fake CAPTCHA. Completing it leads to the final payload: a credential harvesting page designed to look like a Microsoft login portal. By the time users realize something is wrong, their credentials are already exfiltrated.

Who Got Targeted

Manufacturing and industrial companies took the brunt of the campaign at 19.6% of targets, followed closely by technology and SaaS firms (18.9%) and financial services (14.8%). Professional services and retail rounded out the top five.

Geographically, nearly half the targets (48.6%) were in the United States. Asia-Pacific accounted for 20.7%, with Europe at 19.8%. Within Latin America, Brazil and Mexico saw the heaviest concentration.

The targeting pattern suggests the attackers were after corporate credentials rather than consumer accounts. Manufacturing and finance in particular often use Microsoft 365 environments where stolen credentials provide immediate access to email, SharePoint, and other sensitive business systems.

Google's Response

Google told researchers that "several phishing campaigns" abusing Application Integration had already been blocked by the time the research was published. The company emphasized that the attacks stemmed from workflow automation abuse, not a compromise of Google infrastructure itself.

"We are taking additional steps to prevent further misuse," a Google spokesperson said.

But the statement acknowledges an uncomfortable reality: Google built a tool that threat actors turned into a phishing weapon. The company's own security measures failed to prevent its platform from being used to attack Google's customers.

The Broader Problem

This campaign reflects an emerging pattern where attackers weaponize legitimate cloud services as delivery mechanisms. Google has seen similar abuse through AppSheet, Forms, and now Application Integration. Microsoft faces the same problem with Azure services.

The attacks work because cloud platforms are trusted by default. Email gateways that would block messages from unknown domains wave through emails from google.com without a second look. Network security tools that flag connections to suspicious infrastructure don't question traffic to googleapis.com.

Organizations depending solely on email authentication protocols are exposed. DMARC, SPF, and DKIM prove that Google sent the email. They don't prove the email isn't malicious.

Defending Against Trusted-Source Phishing

Traditional email security needs augmentation when attackers hide behind trusted infrastructure. Security teams should consider:

1. Behavioral analysis over origin reputation—Flag emails requesting credential entry regardless of sender domain
2. URL inspection at click time—Check redirect chains, not just initial destinations
3. User awareness training—Staff should know that Google-origin emails can still be phishing attempts
4. Cloud service monitoring—Organizations using Google Cloud should audit Application Integration configurations for unauthorized workflows

The campaign also highlights why multi-factor authentication remains essential. Even when credentials are stolen, MFA provides a backstop. Though attackers are increasingly deploying real-time phishing proxies that can capture MFA tokens too—so MFA alone isn't sufficient for high-value accounts.

Looking Ahead

Expect more campaigns like this one. Any SaaS platform with email-sending capabilities is a potential vector. Attackers have learned that borrowed legitimacy from trusted vendors beats building their own infrastructure.

The security industry spent years convincing organizations to implement DMARC and related protocols. Those protocols work as designed. But threat actors adapted, and now the emails bypassing your gateway might be coming from the most trusted names in tech.

For security teams, the takeaway is clear: sender reputation was never sufficient on its own, and it's becoming less reliable by the day.