What happened
Cybersecurity researchers at Check Point have uncovered a large-scale phishing campaign that abuses Google Cloud’s Application Integration email automation feature to send thousands of deceptive emails appearing to originate from a legitimate Google address ([email protected]). The attackers crafted messages that mimic routine notifications (voicemail alerts, shared file access requests) and used a multi-stage redirection flow through trusted Google Cloud URLs to land victims on a fake Microsoft login page designed to harvest credentials. Google has blocked the specific misuse and is taking additional steps to prevent recurrence.
Who is affected
The campaign delivered approximately 9,394 phishing emails over a two-week period targeting around 3,200 organizations across the U.S., Asia-Pacific, Europe, Canada, and Latin America. Sectors hit include manufacturing, technology/SaaS, financial services, professional services, and retail, among others.
Why CISOs should care
This incident highlights a concerning evolution in phishing tactics: threat actors are leveraging legitimate cloud provider infrastructure and automation capabilities to bypass conventional email security filters like SPF and DMARC, thereby increasing the likelihood that malicious emails reach end-user inboxes. By using trusted domains and multi-stage redirection through cloud-hosted services, attackers significantly raise their chances of success, undermining traditional perimeter defenses.
3 practical actions
- Review cloud automation permissions: Audit who can configure and send emails via cloud automation platforms and enforce least-privilege controls.
- Enhance email filtering & MFA: Deploy advanced email security solutions that inspect URLs and attachments beyond sender reputation, and enforce multi-factor authentication (MFA) to reduce credential harvesting impact.
- User training & simulated phishing: Expand targeted awareness campaigns and run simulated phishing exercises to improve employee recognition of sophisticated email scams—even those leveraging trusted domains.
