phishingšInternationalThe Hacker News
Google Cloud Service Abused in Widespread Phishing Campaign
Friday, January 2, 2026
What
Attackers leveraged Google Cloud's Application Integration service to send phishing emails from a legitimate Google domain, effectively bypassing DMARC and SPF checks. This allowed them to distribute highly convincing lures, leading victims through a multi-stage redirection process to harvest credentials.
Where
Organizations in manufacturing, technology, finance, professional services, retail, media, education, healthcare, energy, government, travel, and transportation sectors across the U.S., Asia-Pacific, Europe, Canada, and Latin America.
When
Disclosed by researchers on January 2, 2026, based on activity observed over a 14-day period in December 2025.
Key Factors
- ā¢The campaign abused a legitimate Google Cloud feature, "Send Email" task within Application Integration, to send emails from `noreply-application-integration@google[.]com`, lending significant authenticity.
- ā¢Attackers employed a multi-stage redirection flow starting with trusted Google Cloud URLs (`storage.cloud.google[.]com`) and incorporating a fake CAPTCHA on `googleusercontent[.]com` to evade automated security analysis.
- ā¢The phishing emails were meticulously crafted to mimic Google notification styles and referenced common enterprise lures like voicemail alerts or shared document access, increasing recipient trust.
Takeaways
- āUsers should remain highly skeptical of unsolicited emails, even those from seemingly legitimate domains, and always verify sender authenticity and link destinations before clicking.
- āOrganizations must implement advanced email security solutions that analyze link redirects and content, not just sender reputation, to detect sophisticated phishing attempts abusing trusted cloud services.
