Scammers have found a way to send fraudulent emails using Google’s official @google.com domain by abusing Google Cloud automation tools. Thousands of organizations received phishing emails that evaded security detection.
If you get emails from a legitimate Google domain ‘[email protected],’ beware – scammers might be behind them.
A new large-scale phishing campaign abusing legitimate infrastructure has been flagged by Check Point Harmony Email Security researchers.
“Attackers sent 9,394 phishing emails targeting approximately 3,200 customers over the past 14 days. All messages were sent from the legitimate Google address [email protected],” the security firm warns in a report about scammers leveraging trusted Google Cloud automation capabilities.
Attackers make phishing emails even more convincing by mimicking casual enterprise notifications, such as voicemail alerts, requests for file access, or permissions.
Initial clicks also lead to legitimate Google’s infrastructure, but the chain of redirects ultimately leads to a malicious website that harvests credentials.
Google has acknowledged the issue and is taking steps to prevent further misuse of its services.
“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure,” the tech giant said in a statement to Check Point.
“While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands.”
How scammers make fake emails appear to come from Google
Google Cloud offers a Send Email functionality that allows customers’ applications to send emails for everyday business tasks to arbitrary recipients. It is useful when IT teams need to get system alerts, reports, or other notifications.
“You can email one or more recipients with a custom subject and a custom message,” the documentation reads.
However, attackers are exploiting this feature to craft and send phishing emails that come from Google’s official domain without compromising Google itself.
“The campaign appears to leverage Google Cloud’s Application Integration Send Email task, a feature intended for legitimate workflow automation and system notifications,” Check Point researchers explain.
The fake emails closely follow Google notification style and structure, including familiar formatting and language. Fraudsters lure their victims with references to voicemail messages or claims about granted access to a shared file or document. They might mention failed payments, salary bonuses, or contain other bait.
“The attack relies on a multi-stage redirection flow designed to lower user suspicion and delay detection,” the researchers said.
Once the victim clicks a button or a link hosted on a legitimate Google Cloud Service, they will be redirected to a website also served from the googleusercontent.com top-level domain.
The website employs CAPTCHA or image-based verification to block automated scanners and security tools, while allowing genuine users to proceed. After the validation process, the victims are redirected again to a fake, attacker-controlled website.
The malicious site impersonates the Microsoft login page to capture user credentials.
“This campaign highlights how attackers can misuse legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing,” Check Point warns.
Traditional email security assumptions no longer hold. Even when the sender, domain, and infrastructure appear fully legitimate, email can still be part of a phishing attack.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked