Google Cloud Service Exploited in New Phishing Campaign Targeting Major Industries

A sophisticated phishing campaign exploiting Google Cloud Application Integration has targeted over 3,200 customers with nearly 9,400 malicious emails in just two weeks, according to security researchers at Check Point. The attackers leverage Google's legitimate "Send Email" task to bypass traditional security controls while impersonating trusted Google notifications.

These phishing attempts appear particularly convincing because they originate from authentic Google infrastructure and mimic routine workflows like permission requests and file sharing—communications that recipients are accustomed to trusting. Manufacturing, technology, and financial sectors have been the primary targets, representing over 53% of affected organizations.

The attack methodology mirrors many of the sophisticated phishing techniques targeting enterprise environments, but with the added legitimacy of trusted cloud infrastructure.

How the Attack Works

The newly identified campaign employs a multi-stage attack that begins with seemingly legitimate Google communications. When recipients interact with these emails, they're guided through a carefully orchestrated process designed to harvest credentials while evading detection.

"This behavior suggests a misuse of legitimate cloud automation capabilities to impersonate authentic Google notifications while bypassing traditional sender reputation and domain-based detection controls," according to Check Point's research.

The attack follows a precise sequence:

1. The victim clicks a link hosted on a trusted Google Cloud service
2. They're redirected to a fake image-based verification page designed to block security tools
3. Finally, targets land on a fraudulent Microsoft login page where their credentials are harvested

Jason Soroko, Senior Fellow at Sectigo, explains the significance: "The exploitation of Google Cloud's Application Integration service underscores a critical vulnerability inherent in trusted cloud automation platforms, where attackers weaponize the very tools designed to streamline enterprise connectivity."

The campaign's effectiveness stems from its exploitation of the shared responsibility model between IT, DevOps, and security teams. Most concerning is how these attacks bypass standard email security measures like SPF and DMARC filters by originating from verified infrastructure.

Industries Under Attack

The research reveals a strategic targeting pattern focused on industries that heavily rely on automated workflows and cloud services. Manufacturing and industrial sectors lead with 19.6% of attacks, followed closely by technology and SaaS companies at 18.9%. Financial institutions, including banking and insurance, represent 14.8% of targets.

Additional frequently targeted sectors include:

• Professional services/consulting (10.7%)
• Retail/consumer (9.1%)

These industries are particularly vulnerable because automated permission workflows, shared documents, and system notifications are commonplace in their daily operations. When malicious communications mimic these familiar processes, even security-conscious employees may be deceived.

"This campaign doesn't show that the cloud provider failed; it indicates that there is a gap in shared responsibilities," notes Randolph Barr, Chief Information Security Officer at Cequence Security. "IT teams typically regulate access to these services, DevOps teams create and manage the workflows, and security teams establish guidelines for their use and monitor potential misuse. If such responsibilities aren't in sync, people can exploit trusted automation in ways that extend beyond standard security measures."

Attack Impact Analysis

The impact of these attacks extends beyond immediate credential theft. Once attackers gain access to Microsoft credentials, they can potentially access a wide range of connected services, establish persistence within networks, and conduct lateral movement. Organizations experiencing successful breaches from this campaign may face data exfiltration, ransomware deployment, or business email compromise situations.

According to recent Verizon Data Breach Investigations Report findings, credential theft remains among the most common initial access vectors for more sophisticated attacks. This campaign demonstrates how attackers continue to evolve their tactics to circumvent modern security controls.

Defending Against Cloud-Based Phishing

The sophistication of this campaign requires organizations to rethink their security approaches. Traditional email security measures that rely on domain reputation checks are ineffective against threats originating from trusted cloud services.

Security experts recommend several protective measures:

Implement Advanced Detection Methods

"Organizations must pivot from reliance on gateway reputation checks to a more granular defense strategy that includes advanced content analysis to inspect message payloads," advises Soroko. This approach focuses on the actual content rather than the sender's domain reputation.

Enhanced security training should help employees recognize suspicious permission requests or voicemail notifications, regardless of their apparent legitimacy. Since these phishing attempts exploit trust in Google's infrastructure, recipients must exercise caution even with familiar-looking communications.

Organizations should recognize that cloud computing security issues demand specialized approaches beyond traditional perimeter defenses.

Enforce Strict Access Controls

Barr recommends organizations "limit who can set up external emails, use least-privilege access to automation services, and keep track of and report workflow activities like any other API or non-human identity."

These controls restrict who can create the automation workflows that might be exploited in such attacks. By treating automation services with the same security rigor applied to other critical systems, organizations can reduce their attack surface.

Modify Default Configurations

"Default implementations of cloud services need to be changed," emphasizes Barr. Out-of-the-box configurations of cloud services often prioritize ease of use over security, creating potential vulnerabilities that attackers can exploit.

Security teams should collaborate with IT and DevOps to implement guardrails within configurations and code. This cross-functional approach helps ensure that legitimate business processes can continue while mitigating potential abuse.

Regular security assessments of cloud services and configurations should become a standard part of organizational security programs. These reviews should specifically examine how automation features might be abused.

Vendor Security Evaluation

Understanding how cloud providers manage security is crucial when evaluating potential vulnerabilities. Organizations should thoroughly evaluate cloud service provider security practices as part of their risk management strategy, with particular attention to automation features and default permission settings.

How to Use This Information

This emerging threat highlights several key actions organizations should consider:

1. Audit your cloud automation tools – Identify who has access to create workflows that can send external communications and review existing automations for potential security issues

2. Update security awareness training – Ensure employees understand that messages appearing to come from Google or Microsoft may still be malicious, even when they originate from legitimate domains

3. Implement content-based detection – Since domain-based filtering won't catch these threats, invest in solutions that analyze message content, links, and attachment behavior rather than just sender reputation

4. Establish multi-factor authentication – Implement MFA across all cloud services to provide an additional layer of protection even if credentials are compromised through these sophisticated phishing attempts

5. Create incident response plans – Develop specific response procedures for cloud-based phishing attacks, including rapid containment steps if credentials are compromised

As cloud automation becomes increasingly central to business operations, we can expect attackers to continue finding new ways to exploit these trusted systems. Organizations that proactively address the security gaps in their cloud implementation will be better positioned to detect and prevent these sophisticated phishing attempts.