A campaign routing victims through Google Meet, Google Search, and Google Ads before landing on a Microsoft 365 credential-harvesting page leaves email scanners with nothing suspicious to flag at any step.
What happened
Researchers have identified an active phishing campaign that routes victims through three successive Google-owned domains before delivering them to an attacker-controlled credential-harvesting page, exploiting the trust that email security tools place in Google's infrastructure to pass all reputation checks at each redirect hop. According to CyberSecurityNews, the redirect chain passes through Google Meet's link redirect service, then through google.com/url, then through Google's ad service domain, before landing on a phishing page. Secure email gateways that inspect each hop in the chain, see only Google domains throughout, and assign clean reputation scores. The malicious destination remains invisible to automated scanning until a human clicks through. Lures observed in the campaign include FedEx delivery updates, DocuSign document requests, Microsoft 365 password expiry alerts, and payment remittance notifications, all designed to prompt immediate action.
Going deeper
The campaign splits into two attack paths depending on which lure the victim receives. The first delivers a pixel-perfect Microsoft 365 sign-in page with the victim's email address pre-populated, reducing the suspicion a blank form might generate and capturing credentials directly. The second presents a fake OneDrive shared document that displays a Microsoft device authentication code. If the victim enters that code into Microsoft's legitimate device login portal, the attacker captures a valid OAuth token and gains full access to the account without ever obtaining the victim's password or MFA code. Researchers described the technique as a "Nested Delivery Matrix," constructing a URL that passes through trusted infrastructure at every inspection point while keeping the final destination out of reach of any automated scanner until the victim completes the click chain themselves.
What was said
Researchers stated in their analysis shared with CyberSecurityNews that the campaign exploits a fundamental gap between "what a machine sees and what a human experiences," noting that "secure email gateways inspect each hop in this chain and find nothing suspicious because every domain they check belongs to Google." Researchers recommended that organizations treat any email containing nested redirect chains, even those passing through trusted domains, with heightened scrutiny, and urged security teams to watch for pre-populated login forms on unexpected sign-in pages.
In the know
Chaining trusted platforms to obscure phishing destinations has been a documented trend throughout 2025 and 2026. According to The Hacker News, a campaign documented in July 2025 combined legitimate Proofpoint link-wrapping infrastructure with Cloudflare redirects and URL shorteners to create a multi-layer redirect chain that similarly evaded detection at each hop. The technique has since expanded to incorporate Google, Microsoft, and other major platform domains, with each iteration adding one more layer of trusted infrastructure between the email gateway's inspection point and the attacker's final destination. The Register's March 2026 reporting on Microsoft OAuth redirect abuse documented attackers using Microsoft's own OAuth authentication pages as redirect entry points for phishing-as-a-service platforms, following the same underlying logic.
The big picture
Healthcare organizations that rely on email security tools configured to trust major platform domains face a blind spot that this campaign exploits directly. A security gateway that allows Google domains through without deeper inspection will pass every link in this chain without complaint. The device code phishing payload at the end of the chain is particularly relevant for healthcare, where Microsoft 365 is used by approximately 79% of organizations, according to Paubox's 2026 Healthcare Email Security Report, and where a compromised Microsoft account provides access to patient scheduling, billing, referrals, and internal communications simultaneously. The FBI issued a warning about Kali365, another device-code phishing platform, just days before this campaign was documented, confirming that device-code phishing has become a standard payload category rather than a novel technique.
FAQs
Why does chaining through Google domains defeat email security tools?
Email security gateways assess links based on the reputation of the domain they point to. A link pointing to a Google domain receives a clean reputation score. If that Google domain redirects to another Google domain, which in turn redirects to a third Google domain, each hop passes the same reputation check. The attacker-controlled destination appears only after the victim clicks, by which point the gateway has already made its decision.
What is the difference between the two payloads this campaign delivers?
The first captures credentials directly through a fake Microsoft 365 login page. The second uses device code phishing, in which the victim is shown a Microsoft authentication code and instructed to enter it on Microsoft's real login portal, thereby handing the attacker a valid OAuth session token without requiring the victim's password or MFA code.
Why does pre-populating the victim's email address make phishing more effective?
An empty login form prompts users to question its origin. A form that already contains their correct email address implies the site knows who they are, lending it legitimacy and reducing the scrutiny they apply before entering their password. Attackers obtain the email address from the phishing lure itself, which was sent to that address.
What Conditional Access policy limits the device code attack path?
Microsoft's Conditional Access includes an Authentication Flows condition that can block the device code authorization flow for users who do not require it for legitimate IoT or printer access. Restricting this flow to approved use cases eliminates the mechanism that the second attack path depends on.
How should healthcare IT teams configure email security to catch redirect chain attacks?
Tools that follow redirect chains to their final destination rather than stopping at the first hop are more effective against this technique. Organizations should also enable sandboxed URL analysis that detonates links in a controlled environment before delivery, and configure alerts for emails containing multiple sequential redirects through different domains, regardless of each domain's reputation.
Mara Ellis : January 5, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
