Cybersecurity teams have been tracking a phishing campaign that exploits legitimate Google Cloud automation to deliver highly convincing emails from real Google infrastructure.
The activity, detailed in an advisory published by Check Point Research (CPR) on Dec. 22, 2025, points towards strategies where attackers abuse trusted cloud services, rather than spoofing domains or compromising accounts.
According to CPR, attackers sent 9,394 phishing emails over a 14-day period, targeting roughly 3,200 organizations. The messages originated from a legitimate Google address, allowing them to pass common sender reputation and domain-based email controls.
The emails mimicked routine enterprise notifications, including voicemail alerts and file-sharing permission requests, to prompt rapid user action.
The campaign took advantage of Google Cloud Application Integration, a workflow automation service designed to send system-generated emails for legitimate business processes.
By misusing the platform’s “Send Email” task, attackers were able to distribute messages from Google-owned domains without breaching Google systems.
Multi-Stage Redirection Masks Credential Theft
The phishing links followed a layered redirection process intended to evade detection and build trust. Initial clicks directed users to storage.cloud.google.com, followed by a googleusercontent.com page displaying a fake CAPTCHA or image-based check.
Only after user interaction were victims redirected to a counterfeit Microsoft login page hosted on a non-Microsoft domain, where credentials were harvested.
Industry analysis shows manufacturing and industrial organizations accounted for 19.6% of targets, followed by technology and Software-as-a-Service (SaaS) firms at 18.9%, and finance and insurance at 14.8%. Nearly half of affected organizations were based in the US, with additional impact across Asia-Pacific and Europe.
“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration,” a Google spokesperson from Google Cloud told CPR. “This activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure.”
For defenders, the campaign reinforces the need to scrutinize emails even when they originate from trusted domains. Security leaders should combine user awareness training with advanced link analysis and behavioral detection to identify abuse of legitimate cloud services before credentials are exposed.
