This post is also available in:
עברית (Hebrew)
Email security teams have long relied on domain reputation and sender verification as their first line of defense against phishing. Messages originating from well-known domains are typically treated as lower risk, allowing organizations to focus on obvious spoofing attempts. That assumption is now being challenged by a new phishing campaign that uses legitimate cloud infrastructure to deliver fraudulent emails that appear fully authentic.
Security researchers have identified a large-scale operation in which attackers sent thousands of phishing messages from an official Google email address ending in @google.com. The emails originated from [email protected], a legitimate address used by Google Cloud services. Over a two-week period, nearly 9,400 messages were delivered to roughly 3,200 organizations, evading many traditional detection mechanisms because the sender domain and infrastructure were genuine.
According to CyberNews, the technique does not involve breaching Google systems. Instead, attackers exploited a workflow automation feature within Google Cloud that allows applications to send notification emails to arbitrary recipients. This functionality is commonly used for system alerts, file-sharing notifications, and other routine enterprise messages. By abusing this feature, attackers were able to craft phishing emails that closely mimicked standard corporate notifications, such as voicemail alerts or file access requests.
The attack chain was designed to appear legitimate at every step. When recipients clicked links in the emails, they were first taken to pages hosted on Google’s own infrastructure. Subsequent redirects led to sites served from the googleusercontent.com domain, further reinforcing trust. Only after passing CAPTCHA or image-based checks—used to block automated scanners—were victims redirected to attacker-controlled pages impersonating Microsoft login portals, where credentials were harvested.
This campaign highlights a growing operational risk; government agencies, critical infrastructure operators, and defense contractors often depend on cloud platforms and trusted vendors for daily operations. Phishing attacks that exploit legitimate cloud services can bypass perimeter defenses and target users with elevated access, increasing the potential impact of credential theft or lateral movement inside sensitive networks.
Google has acknowledged the misuse and stated that it has blocked multiple campaigns abusing its email notification feature, emphasizing that the issue stemmed from exploitation of automation tools rather than a compromise of its systems. Additional protections have been put in place to address this specific technique.
The incident underscores a broader shift in phishing tactics. As email security improves, attackers are increasingly weaponizing trusted services instead of spoofing them. For organizations, this means that even emails from legitimate domains must be treated with caution, and behavioral analysis and user awareness are becoming as important as traditional sender validation.
