Researchers warn that attackers are abusing trusted Google infrastructure to bypass traditional email defenses.
Cybersecurity researchers have identified a phishing campaign that impersonates Google support staff to trick users into sharing account credentials. According to reporting by Cyber Security News, attackers initiate contact by phone, referencing suspicious account activity, then follow up with emails that appear to originate from legitimate Google services. The messages direct victims to links hosted on Google Cloud infrastructure, making them appear authentic and difficult to block using standard email authentication controls.
The campaign relies on a layered approach that combines phone-based social engineering with trusted cloud hosting. Victims receive calls that create urgency around supposed security concerns, then are directed to review messages sent from Google-related domains. When links are clicked, users land on pages hosted within Google Cloud Storage, which bypass many reputation-based security checks. Fake CAPTCHA screens are used to block automated scanning tools while allowing real users to continue. After verification, victims are redirected to pages that imitate Google or Microsoft login portals, where their credentials are captured. Researchers documented thousands of these emails in late 2025, targeting businesses across multiple regions.
Security analysts stressed that legitimate cloud providers do not initiate contact to request passwords or direct users to external verification pages. They warned that attackers are deliberately abusing trusted infrastructure instead of registering obvious lookalike domains. Experts recommended that users avoid clicking links in unsolicited communications and instead access service portals directly through known bookmarks. Organizations were advised to enforce multi-factor authentication, restrict login locations, and provide training focused on modern impersonation tactics that use legitimate platforms.
In related news, another phishing campaign uncovered in late 2025 shows attackers using Google’s own cloud services to deliver credential theft at scale. According to The Hacker News, the operation abused Google Cloud’s Application Integration service to send phishing emails from a legitimate Google address, “noreply-application-integration@google[.]com,” thereby bypassing traditional email security checks. The emails were crafted to resemble routine enterprise notifications, with researchers noting that “the emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients.” Investigators documented nearly 9,400 phishing emails sent to roughly 3,200 organizations worldwide over a 14-day period, proving how trusted cloud infrastructure continues to be used to avoid detection.
The emails originate from legitimate Google infrastructure, which allows them to pass authentication checks that normally block spoofed domains.
Voice contact builds trust and urgency, making recipients more likely to follow instructions sent in subsequent messages.
They prevent automated scanners from analyzing the phishing flow while allowing human users to proceed.
They should avoid responding to unsolicited support messages, access accounts only through known portals, and use multi-factor authentication.
Legitimate services offer strong reputations and global delivery, making malicious activity harder to detect and block at scale.