Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

Google Tasks notifications abused in phishing campaign

Written by Tshedimoso Makhene | January 5, 2026

Researchers have identified a new campaign that exploits Google's legitimate email infrastructure to send convincing phishing messages. This tactic enables attackers to evade traditional security measures and deceive users into revealing their credentials.

 

What happened

According to Cybersecurity News, a new phishing campaign was launched in December 2025 targeting over 3000 organizations worldwide, especially in the manufacturing sector. The attackers sent emails that appeared to come from Google, tricking recipients into clicking on fake Google Tasks notifications.

 

Going deeper

The phishing campaign abuses Google Tasks notifications and leverages Google’s legitimate email infrastructure to send phishing emails appearing to come from the official address noreply-application-integration@google.com. Since these emails come from a trusted Google-owned domain, they successfully bypass common email security protocols such as SPF, DKIM, and DMARC, which are designed to detect spoofed or fraudulent emails. This allows the phishing messages to bypass traditional email filters and appear authentic to both recipients and security systems.

The deceptive emails mimic legitimate Google Tasks alerts, using familiar language and prompts such as “View task” or “Mark complete” to encourage user interaction. When recipients click on these prompts, they are redirected through a Google Cloud Storage URL to fake login pages designed to resemble popular authentication portals. Here, the victims are prompted to enter their credentials, thereby exposing sensitive account information to the attackers.

Researchers have also documented similar campaigns that exploit Google Classroom, Google Forms, and AppSheet to harvest credentials.

 

The bigger picture

The discovery of this phishing campaign indicates a dangerous evolution in phishing tactics, with cybercriminals moving away from obvious fake emails toward exploiting trusted, legitimate cloud platforms that trick both users and security systems. In September 2025, a phishing campaign used GitHub’s own notification system to trick developers into giving up credentials. Hackers used the company’s legitimate email notification system to distribute malicious payloads. These types of new tactics now:

  • Produce a higher success rate: Messages from verified Google domains carry inherent trust and are more likely to be opened. 
  • Bypass security features: Standard security protocols such as SPF and DMARC are rendered ineffective when the attacker uses legitimate infrastructure. 
  • Produce broader implications: As more enterprises adopt cloud tools and automated workflows, attackers could target more workflow automation services as a delivery vector for phishing and credential theft.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQS

Was Google hacked?

No. There is no evidence that Google’s systems were breached. The attackers abused legitimate Google services rather than exploiting a vulnerability in Google’s infrastructure.

 

What information are attackers trying to steal?

The goal of the campaign is to harvest login credentials, which can then be used for account takeover, data theft, or further attacks.
View full post