Trusted Cloud Tools Fuel New Phishing Wave

Cybercriminals have uncovered a powerful new tactic to bypass spam filters: abusing trusted cloud services instead of spoofing brands. A recent phishing campaign exploited a legitimate email feature within Google Cloud, allowing attackers to send thousands of fraudulent messages that appeared indistinguishable from genuine Google notifications.

At the core of the attack was Google Cloud Application Integration, a service used by enterprises to automate workflows and send system-generated emails. Threat actors misused its Send Email function, enabling phishing messages to originate from a real, Google-owned address. According to Check Point, this authenticity allowed emails to bypass security filters and land directly in inboxes. Over a two-week period in December 2025, more than 9,000 phishing emailstargeted around 3,200 organizations across North America, Europe, Asia-Pacific, and Latin America.

The campaign used a multi-stage deception chain. Victims were first directed to pages hosted on storage.cloud.google.com, then redirected through googleusercontent.com, reinforcing trust at every step. A fake CAPTCHA screen blocked automated scanners while allowing human users to proceed. The final destination was a convincing fake Microsoft login page, where credentials were harvested.

Industries heavily dependent on automated alerts—manufacturing, technology, finance, retail, and professional services—were prime targets, alongside healthcare, education, government, and energy. These sectors regularly receive permission and file-sharing notifications, making the phishing lures feel routine.

Security experts warn this attack highlights a dangerous shift: brand and platform trust itself has become the attack surface. As cloud ecosystems grow, organizations must assume that even “legitimate-looking” system emails require verification, stronger identity controls, and phishing-resistant authentication to counter this new class of threat.