Phishing campaign abuses Google Cloud Storage to host malicious redirects

Attackers are using trusted cloud infrastructure to hide phishing activity behind legitimate domains.

What happened

Researchers uncovered a phishing campaign that uses Google Cloud Storage to host redirect pages that send victims to external malicious sites. According to CyberPress, phishing emails contain links hosted under the domain storage.googleapis.com, which appears trustworthy because it belongs to Google’s cloud platform. Attackers created a cloud storage bucket called whilewait and uploaded a script based HTML page named comessuccess.html. When victims click the link, the page automatically redirects their browser to a separate malicious site used for activities such as credit card theft or malware delivery. Hosting the redirect on Google’s infrastructure helps the campaign bypass security filters because the domain is widely trusted and commonly used for legitimate cloud services.

Going deeper

The attack uses a simple, effective infrastructure setup. A Google Cloud Storage bucket, which is a cloud file hosting service operated by Google, serves as the initial landing page, where a hosted HTML webpage acts as a gatekeeper that redirects visitors to the final phishing or malware site. Because the first stage uses a legitimate Google domain, email security systems that rely on domain reputation may treat the link as safe. Social engineering, which refers to psychological manipulation used to trick users into taking harmful actions, plays a central part in getting victims to click the link. Observed phishing emails use several themes to create urgency or curiosity, including warnings about cloud storage limits, antivirus threats, and promotional offers tied to well known retail brands, while some campaigns promote lifestyle or health content to attract a broader range of victims. The redirect chain ultimately leads users to credential or payment harvesting pages designed to collect login details or financial information for fraud.

What was said

Researchers analysing the campaign said the technique works because it abuses trust in widely used cloud services rather than relying on newly created phishing websites. The report found that a malicious page hosted on Google Cloud Storage acts as a “gatekeeper,” meaning it first receives the victim’s click and then redirects them to a separate phishing site that steals credentials.

In the know

Threat actors are exploiting legitimate cloud platforms such as Microsoft Azure, Google Firebase, Amazon Web Services, and Cloudflare to host advanced phishing toolkits targeting enterprise users. According to Hackread, the campaigns use adversary in the middle phishing kits that act as proxies between victims and real login pages, allowing attackers to capture credentials and bypass multifactor authentication. Hosting the infrastructure on trusted cloud services provides attackers with legitimate IP addresses and HTTPS encryption, making the activity harder for traditional security systems to block. The activity has been linked to phishing kits such as Tycoon2FA, Sneaky2FA, and EvilProxy, which filter for corporate email accounts and carry out multi-step attacks that hijack user sessions and steal login credentials. Meanwhile, Cyber Press reported that infrastructure linked to Chinese hosting networks operated more than 18,000 active command and control servers across 48 cloud providers. Command and control servers are systems that attackers use to remotely manage compromised devices and receive stolen data. Because the phishing infrastructure runs inside the same cloud environments organizations rely on for email and business applications, login traffic can appear legitimate, forcing defenders to focus on detecting suspicious login behavior and session activity rather than blocking IP addresses alone.

The big picture

Researchers say phishing groups are using trusted cloud platforms to distribute malicious emails, a tactic Paubox calls “inherited trust” abuse. In its report, The top 3 healthcare email attacks in 2025, Paubox said attackers are sending phishing messages through legitimate infrastructure, including Google-hosted services, allowing emails to originate from high-reputation internet addresses with valid security certificates and bypass traditional filters. Hoala Greevy, CEO of Paubox, described the trend as “deception at scale,” where organized campaigns imitate trusted brands and target large numbers of users. To address these adversary-in-the-middle attacks where attackers secretly position themselves between sender and recipient to manipulate communication, Paubox’s ExecProtect+ uses AI-driven detection to spot unusual sender behavior and block phishing emails before they reach staff inboxes, reducing reliance on employees, who currently report only about 5% of phishing attempts.

FAQs

Why do attackers use Google Cloud Storage for phishing infrastructure?

Trusted cloud domains such as storage.googleapis.com appear legitimate to both users and security systems, helping attackers bypass reputation-based filtering and increase the likelihood that links will be opened.

What is a redirect chain in phishing attacks?

A redirect chain occurs when a user first lands on an intermediate page that automatically forwards them to another site, often hiding the final malicious destination from security scanners.

Why do phishing emails use different themes like security alerts or retail offers?

Attackers vary the messaging to target different psychological triggers such as urgency, fear, curiosity, or reward incentives, increasing the chances that recipients will click the link.

How can organizations detect trusted platform phishing?

Security teams can analyze redirect paths, monitor unusual cloud storage links in emails, and inspect sender metadata rather than relying solely on domain reputation.

What should users do if they encounter suspicious Google Cloud Storage links?

Users should avoid clicking unfamiliar links, verify the sender’s address, and report suspected abuse to the relevant platform or organizational security team so the malicious infrastructure can be removed.