Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign
These articles are AI-generated summaries. Please check the original sources for full details.
Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign
Cybersecurity researchers recently uncovered a sophisticated phishing campaign leveraging Google Cloud Application Integration to send deceptive emails. Attackers sent 9,394 phishing emails to approximately 3,200 customers in December 2025, exploiting the trust associated with Google domains to bypass security filters.
Why This Matters
Current email security models often rely on domain reputation and authentication protocols like DMARC and SPF, but these are ineffective when the sending domain is legitimately owned by a trusted provider like Google. This campaign highlights the growing trend of attackers abusing legitimate cloud services to deliver malicious payloads, increasing the success rate of phishing attacks and potentially leading to significant data breaches and financial losses for targeted organizations. The scale of this attack demonstrates a clear gap in current detection capabilities.
Key Insights
- 9,394 phishing emails sent: Attackers successfully delivered nearly ten thousand emails from legitimate Google domains in a 14-day period (December 2025).
- Application Integration Abuse: Attackers exploited the “Send Email” task within Google Cloud Application Integration, bypassing recipient limits through strategic configuration.
- Multi-Stage Redirection: The attack chain utilizes Google Cloud Storage and Googleusercontent.com to mask malicious links and evade automated security scans.
Working Example
(No code present in the context)
Practical Applications
- Use Case: Manufacturing, technology, financial, and professional services organizations are prime targets due to their reliance on automated notifications and shared documents.
- Pitfall: Over-reliance on domain reputation and SPF/DMARC checks without considering the potential for abuse of legitimate cloud services can lead to successful phishing attacks.
References:
Continue reading
Next article
Full Stack DevOps Lab: Automating Software Delivery from Local to Production
Related Content
Securing Cloud Workloads and Infrastructure: Balancing Innovation with Identity and Access Control
A free webinar from CyberArk addresses the growing challenge of securing multi-cloud environments and mitigating identity risks.
Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign
Amazon reports a new AWS crypto mining campaign abusing IAM credentials, ECS, EC2, and termination protection for persistence.
Lack of MFA Enables Vast Cloud Credential Heist Affecting 50 Enterprises
A threat actor named 'Zestix' compromised 50 enterprises by exploiting stolen credentials on file-sharing platforms lacking multifactor authentication.