Phishing campaign exploits Google Cloud email infrastructure

In December 2025, threat actors carried out a large-scale, sophisticated phishing campaign that abused Google’s legitimate cloud infrastructure, rather than relying on spoofed domains or forged email headers, according to The Hacker News. 

What happened

The attackers used Google Cloud Application Integration to send phishing emails directly from Google’s own systems, causing messages originating from the legitimate address noreply-application-integration@google.com. 

As the emails were genuinely sent by Google, they passed all standard authentication checks, including SPF, DKIM, DMARC, and CompAuth, allowing them to bypass traditional email security gateways that depend on domain reputation and sender trust. The campaign primarily targeted more than 3,000 organizations worldwide, with a notable concentration in the manufacturing sector. 

The phishing emails impersonated Google Tasks notifications, presenting recipients with what appeared to be an internal ‘All Employees Task’ that requested urgent employee verification. Victims were prompted to click buttons labeled ‘View task’ or ‘Mark complete,’ which redirected them to phishing pages hosted on Google Cloud Storage under trusted domains such as storage.cloud.google.com. 

These pages closely replicated actual Google Tasks branding, including familiar interface elements, footer text, and authentic-looking calls to action, making the attack difficult for users to distinguish from real Google workflows. The campaign was identified by detecting contextual mismatches like the unusual use of Google Tasks for HR verification and the presence of Cloud Storage URLs inconsistent with legitimate Google Tasks behavior. 

In the know  

This type of attack is sometimes called trusted-platform phishing or workflow-abuse phishing. Importantly, it is not domain spoofing, email header forgery, or a compromise of Google systems. Another clear example occurred in July 2025, when cybersecurity researchers uncovered a phishing scheme that abused Google Forms to target cryptocurrency users. 

In that incident, attackers created a fake Google Form and manually submitted victims’ email addresses to trigger legitimate Google notification emails about form responses. Because these notifications originated from Google’s domain and servers, they routinely landed in inboxes and bypassed traditional spam filters. 

The phishing messages informed recipients that they had a pending payment requiring finalization and included a link that, when clicked, directed users to counterfeit cryptocurrency exchange websites where the victims were manipulated into interacting with bogus interfaces and ultimately tricked into sending funds to scammers. 

The technique effectively leverages the trust placed in Google’s infrastructure. It works by recipients seeing a notification from Google Forms, assuming it is authentic, and engaging with it without suspicion, allowing credential harvesting or financial loss without requiring domain spoofing or a technical compromise of Google systems.

The big picture 

In another incident related to Salesloft Drift, the threat actor tracked as UNC6395 exploited trusted OAuth-based third-party integrations between Salesforce, Salesloft Drift, and Google Workspace. Rather than compromising Google Workspace or Salesforce directly, the attacker obtained valid OAuth tokens associated with the Drift integration and used them to access data and, in a limited number of cases, read email from Google Workspace accounts that had explicitly enabled the integration.

These attacks, when compared, exploit trusted cloud relationships and legitimate authentication mechanisms, rather than technical vulnerabilities or direct platform compromises. In both campaigns, attackers operated entirely within approved and expected SaaS workflows, allowing malicious activity to appear legitimate to security controls. These reveal how connected SaaS ecosystems expand the potential for an attack.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is SaaS?

SaaS is a software delivery model where applications are hosted in the cloud and accessed over the internet rather than installed locally.

Why is SaaS attractive to attackers?

SaaS platforms are attractive targets because they are widely trusted, highly interconnected, and often integrated with sensitive business workflows.

What is SaaS phishing?

SaaS phishing is a technique where attackers abuse legitimate cloud applications or notifications to deliver malicious links or requests.