Sophisticated Phishing Campaign Abuses Google Cloud Services to Steal Microsoft 365 Credentials
Cybercriminals are exploiting Google’s cloud infrastructure to launch highly convincing phishing attacks, bypassing spam filters and tricking users into surrendering their Microsoft 365 login credentials. Researchers identified a campaign where attackers used Google Cloud Application Integration’s Send Email feature to dispatch phishing emails from a legitimate Google address—noreply-application-integration@google[.]com—lending the messages an air of authenticity.
The emails, which reference routine actions like voicemail notifications or document access requests, include links to Google Cloud Storage URLs, further masking their malicious intent. After the initial click, victims are redirected through another Google-owned domain (googleusercontent[.]com), where they encounter a CAPTCHA check before being funneled to a fake Microsoft 365 sign-in page. The spoofed login portal, hosted on a non-Microsoft domain, captures any entered credentials.
The attack leverages Google’s trusted services to evade detection, though the company clarified that this was not a vulnerability but an abuse of its workflow automation tools. Google has since blocked multiple phishing campaigns tied to this method and is implementing additional safeguards to prevent further misuse.
This incident highlights a growing trend of threat actors abusing trusted cloud platforms—including Google, PayPal, and DocuSign—to enhance the credibility of phishing schemes. While Google has taken action, the campaign underscores the need for users to scrutinize login pages, particularly when redirected from seemingly legitimate sources.
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
"id": "GOO1767719152",
"linkid": "google-cloud",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'type': 'Organizations/Individuals'}],
'attack_vector': 'Email (Abuse of Google Cloud Application Integration)',
'customer_advisories': 'Users should verify login page domains, avoid '
'clicking links in unsolicited emails, and enable MFA '
'to protect against credential harvesting.',
'data_breach': {'data_exfiltration': 'Yes (credentials captured by attackers)',
'personally_identifiable_information': 'Potentially (if '
'credentials include '
'PII)',
'sensitivity_of_data': 'High (Microsoft 365 credentials)',
'type_of_data_compromised': 'Credentials (usernames and '
'passwords)'},
'description': "Attackers are sending convincing fake 'Google' emails that "
'bypass spam filters by routing victims through trusted '
'Google-owned services, ultimately leading to a look-alike '
'Microsoft 365 sign-in page designed to harvest usernames and '
'passwords. The phishing emails originate from a legitimate '
'Google address (noreply-application-integration@google[.]com) '
'using Google Cloud Application Integration’s Send Email '
'feature.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities due to credential '
'compromise',
'data_compromised': 'Microsoft 365 credentials (usernames and '
'passwords)',
'identity_theft_risk': 'High (stolen credentials could lead to '
'identity theft)',
'systems_affected': 'Microsoft 365 sign-in pages (spoofed)'},
'initial_access_broker': {'entry_point': 'Phishing email (Google Cloud '
'Application Integration)'},
'lessons_learned': 'Phishing campaigns increasingly abuse trusted cloud '
'services (e.g., Google, PayPal, DocuSign) to lend '
'credibility to attacks. Recipients must verify login page '
'domains and avoid clicking links in unsolicited emails.',
'motivation': 'Credential Harvesting',
'post_incident_analysis': {'corrective_actions': 'Google blocked the phishing '
'campaigns and implemented '
'additional protections to '
'prevent misuse of its '
'services.',
'root_causes': 'Abuse of Google Cloud Application '
'Integration’s Send Email feature '
'to send phishing emails from a '
'legitimate Google address, '
'leveraging trust in Google’s '
'infrastructure.'},
'recommendations': ['Always check the web address of login pages to ensure it '
'is a genuine domain.',
'Use a password manager to avoid auto-filling credentials '
'on fake websites.',
'Be cautious of urgent emails about voicemails, document '
'shares, or permissions.',
'Go directly to services (e.g., OneDrive, Teams) via '
'bookmarks or apps instead of clicking email links.',
'Enable multi-factor authentication (MFA) to mitigate the '
'impact of stolen passwords.',
'Regularly review and remove unauthorized app access to '
'accounts.',
'Use tools like Malwarebytes Scam Guard to detect '
'phishing attempts.'],
'references': [{'source': 'Malwarebytes Blog'}],
'response': {'containment_measures': 'Google blocked several phishing '
'campaigns involving the misuse of the '
'email notification feature.',
'remediation_measures': 'Google implemented protections to '
'defend users against the attack and is '
'taking additional steps to prevent '
'further misuse.'},
'title': 'Google Cloud Application Integration Abused for Phishing Campaign '
'Targeting Microsoft 365 Credentials',
'type': 'Phishing'}