Attackers sent thousands of fraudulent messages using a legitimate Google.com address without breaching Google systems.
Security researchers have identified a large phishing campaign that sent fraudulent emails from the legitimate address noreply-application-integration@google.com by abusing Google Cloud automation features. According to Cybernews, attackers used Google Cloud Application Integration workflows to distribute more than 9,000 phishing messages to roughly 3,200 organizations over a two-week period. The emails appeared authentic, passed standard security checks, and initially routed users through Google infrastructure before redirecting them to credential harvesting sites.
The campaign relied on Google Cloud’s Send Email functionality, which allows applications to send automated notifications for routine business tasks. Attackers configured these workflows to deliver phishing messages that mimicked common enterprise alerts such as voicemail notifications, file sharing requests, or access approvals. When recipients clicked embedded links, they were first routed through legitimate Google-hosted pages and then redirected through Googleusercontent.com domains. The final destination was an attacker-controlled site impersonating a Microsoft login page. CAPTCHA checks and image-based validation were used to block automated scanners while allowing real users to proceed, which delayed detection and increased success rates.
Google confirmed that the activity resulted from misuse of a workflow automation feature rather than a compromise of its infrastructure. The company said it had blocked multiple campaigns and implemented safeguards to prevent similar abuse. Researchers warned that the messages closely followed Google’s notification style and structure, making them difficult for users to distinguish from legitimate system alerts. They also noted that the use of trusted cloud infrastructure reduced suspicion and allowed the emails to avoid traditional detection methods.
Security teams have warned that trusted cloud services are being misused to deliver phishing at scale. A 2025 analysis from the UK National Cyber Security Centre describes how threat actors use advanced tooling and automated methods to scale phishing and other malicious campaigns that abuse trusted platforms and identity services rather than relying solely on traditional spoofed domains. The NCSC’s guidance on defending against phishing notes that domain-based trust mechanisms alone are insufficient, and recommends that organizations focus on behavioural signals, user reporting, and verification techniques to more accurately assess and mitigate email risk.
Most security systems and users treat messages from well-known domains as low risk, which reduces scrutiny and increases the likelihood of engagement.
No. Google stated that attackers abused a legitimate automation feature without gaining unauthorized access to its internal systems.
Using trusted hosting delays detection, bypasses some security controls, and reassures users before redirecting them to malicious sites.
The final phishing pages impersonated Microsoft login portals and were designed to capture usernames and passwords.
They can review cloud automation permissions, monitor unusual workflow activity, train users to verify unexpected alerts, and apply layered email analysis that assesses link behavior rather than sender reputation alone.