Phishing campaign uses Google Cloud emails to bypass security filters

Attackers sent thousands of fraudulent messages using a legitimate Google.com address without breaching Google systems.

What happened

Security researchers have identified a large phishing campaign that sent fraudulent emails from the legitimate address noreply-application-integration@google.com by abusing Google Cloud automation features. According to Cybernews, attackers used Google Cloud Application Integration workflows to distribute more than 9,000 phishing messages to roughly 3,200 organizations over a two-week period. The emails appeared authentic, passed standard security checks, and initially routed users through Google infrastructure before redirecting them to credential harvesting sites.

Going deeper

The campaign relied on Google Cloud’s Send Email functionality, which allows applications to send automated notifications for routine business tasks. Attackers configured these workflows to deliver phishing messages that mimicked common enterprise alerts such as voicemail notifications, file sharing requests, or access approvals. When recipients clicked embedded links, they were first routed through legitimate Google-hosted pages and then redirected through Googleusercontent.com domains. The final destination was an attacker-controlled site impersonating a Microsoft login page. CAPTCHA checks and image-based validation were used to block automated scanners while allowing real users to proceed, which delayed detection and increased success rates.

What was said

Google confirmed that the activity resulted from misuse of a workflow automation feature rather than a compromise of its infrastructure. The company said it had blocked multiple campaigns and implemented safeguards to prevent similar abuse. Researchers warned that the messages closely followed Google’s notification style and structure, making them difficult for users to distinguish from legitimate system alerts. They also noted that the use of trusted cloud infrastructure reduced suspicion and allowed the emails to avoid traditional detection methods.

The big picture

Security teams have warned that trusted cloud services are being misused to deliver phishing at scale. A 2025 analysis from the UK National Cyber Security Centre describes how threat actors use advanced tooling and automated methods to scale phishing and other malicious campaigns that abuse trusted platforms and identity services rather than relying solely on traditional spoofed domains. The NCSC’s guidance on defending against phishing notes that domain-based trust mechanisms alone are insufficient, and recommends that organizations focus on behavioural signals, user reporting, and verification techniques to more accurately assess and mitigate email risk.

FAQs

Why do emails from Google.com appear trustworthy?

Most security systems and users treat messages from well-known domains as low risk, which reduces scrutiny and increases the likelihood of engagement.

Was Google itself breached in this campaign?

No. Google stated that attackers abused a legitimate automation feature without gaining unauthorized access to its internal systems.

Why do attackers route links through Google infrastructure first?

Using trusted hosting delays detection, bypasses some security controls, and reassures users before redirecting them to malicious sites.

What type of information were attackers trying to collect?

The final phishing pages impersonated Microsoft login portals and were designed to capture usernames and passwords.

How can organizations reduce risk from similar attacks?

They can review cloud automation permissions, monitor unusual workflow activity, train users to verify unexpected alerts, and apply layered email analysis that assesses link behavior rather than sender reputation alone.