Hackers abuse Google Cloud to send trusted phishing emails

Cybercriminals have found a clever new way to send phishing emails directly to inboxes.

Instead of counterfeiting brands, they are abusing real cloud tools that people already trust. Security researchers say attackers recently hijacked a legitimate email feature within Google Cloud.

The result was thousands of phishing messages that looked like normal Google notifications. Many bypassed spam filters with ease.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide: When you join me CYBERGUY.COM information sheet.

How this Google Cloud phishing attack worked

At the center of the campaign was the integration of applications in the Google cloud. This service allows companies to send automatic email notifications based on the workflows they create. Attackers exploited the Send Email task within that system. Because the messages came from a real Google address, they appeared authentic to both users and security tools.

According to Check Point, a global cybersecurity company that tracks and analyzes large-scale threat campaigns, the emails were sent from a legitimate address owned by Google and closely matched Google’s notification style. The fonts, wording, and layout looked familiar. Over a two-week period in December 2025, attackers sent more than 9,000 phishing emails targeting approximately 3,200 organizations in the US, Europe, Canada, Asia Pacific, and Latin America.

MALICIOUS CHROME EXTENSIONS STOPPED STEALING CONFIDENTIAL DATA

Why Google’s Phishing Emails Were So Convincing

The messages seemed like routine workplace alerts. Some claimed they had received a voicemail. Others said they were granted access to a shared document, such as a Q4 file. That sense of normality reduced suspicion. Many people are used to seeing exactly these messages every day. Even more concerning is that the emails bypassed common protections like SPF and DMARC because they were sent over Google-owned infrastructure. For email systems, nothing seemed fake.

What happens after clicking?

The attack didn’t stop at email. Once a victim clicked the link, they were sent to a page hosted on Storage.cloud.google.com. That added another layer of confidence. From there, the link redirected back to googleusercontent.com. Then came a fake CAPTCHA or image verification. This step blocked automated security scanners and allowed real users to continue. After passing that screen, victims landed on a fake Microsoft login page hosted on a non-Microsoft domain. Any credentials entered there were captured by the attackers.

Who was the target of the Google Cloud phishing attack?

Check Point says the campaign largely focused on industries that rely on automated alerts and shared documents. That included manufacturing, technology, finance, professional services and retail. Other sectors such as health, education, government, energy, travel and media were also attacked. These environments see constant permission requests and file sharing notices, which made the honeypots seem routine.

“We have blocked several phishing campaigns involving the misuse of an email notification feature within the Google Cloud app integration,” a Google spokesperson told Cyberguy. “Importantly, this activity arose from abuse of a workflow automation tool, not a compromise of Google infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.”

The incident demonstrates how attackers can weaponize legitimate cloud automation tools without resorting to traditional phishing.

Ways to stay safe from phishing emails that look trustworthy

Phishing emails are becoming harder to detect, especially when attackers abuse real cloud platforms like Google Cloud. These steps help reduce risk when emails appear familiar and legitimate.

1) Slow down before acting on alerts

Attackers depend on urgency. Prompts about voicemails, file sharing, or permission changes are designed for quick clicking. Pause before acting. Ask yourself if you were really expecting that alert. If not, check it another way.

2) Inspect links before clicking

Always hover over links to preview the target domain. In this campaign, links jumped to several trustworthy-looking Google domains before landing on a fake login page. If the final destination does not match the service that is asking you to log in, close the page immediately.

3) Treat file access and permission emails with caution

Shared document alerts are a favorite attraction because they feel routine at work. If an email claims that you have been granted access to a file you don’t recognize, don’t click directly from the message. Instead, open your browser and log into Google Drive or OneDrive manually to check for new files.

4) Use a password manager to detect fake login pages

Password managers can be a strong last line of defense. They will not automatically fill in credentials on fake Microsoft or Google login pages hosted on unofficial domains. If your password manager refuses to complete a login, that’s a red flag worth paying attention to.

Next, check to see if your email has been exposed in previous breaches. Our #1 password manager pick (see Cyberguy.com/Passwords) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

GOOGLE’S NEW AI MAKES ROBOTS SMARTER WITHOUT THE CLOUD

5) Run powerful antivirus software with phishing protection

Modern antivirus tools do more than scan files. Many now detect malicious links, fake CAPTCHA pages and credential harvesting sites in real time. Strong antivirus software can block phishing pages even after one click, which is important in multi-stage attacks like this.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

6) Reduce your exposure with a data deletion service

Phishing campaigns are often successful because attackers already know your email, employer, or role. That information is commonly obtained from data broker sites. A data deletion service helps remove your personal information from these databases, making it difficult for attackers to create compelling, targeted emails.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

7) Enable two-factor authentication (2FA) everywhere

Even if attackers steal your password, two-factor authentication (2FA) can prevent them from accessing your account. Use app-based authentication or hardware keys when possible, especially for work email, cloud storage, and Microsoft accounts.

8) Report suspicious emails immediately

If something feels wrong, report it. Flag suspicious alerts from Google or Microsoft to your IT or security team so they can warn others. Early notification can stop a phishing campaign before it spreads further within an organization.

Kurt’s Key Takeaways

This campaign highlights a growing shift in phishing tactics. Attackers no longer need to spoof trademarks when they can directly abuse trusted cloud services. As automation becomes more common, security awareness is more important than ever. Even family emails deserve a second look, especially when they insist on urgency or request credentials.

CLICK HERE TO DOWNLOAD THE News APP

If a phishing email comes from a real Google address, how confident are you that you can detect it before you click? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Receive my best tech tips, urgent security alerts, and exclusive offers direct to you. ent in your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.