According to Forbes, security researchers at Check Point have uncovered a sophisticated phishing campaign that’s actively exploiting a legitimate Google Cloud feature. The attackers are abusing a workflow automation tool called Google Cloud Application Integration to send malicious emails that appear to come from the legitimate Google address [email protected]. The emails contain mundane lures, like fake voicemail notifications, and link to pages hosted on Google’s own storage.cloud.google.com domain. After a fake captcha page meant to bypass security scanners, victims are redirected to a counterfeit Microsoft login page where their credentials are stolen. Google confirms it has blocked several campaigns using this method but warns users to remain cautious as the abuse leverages real, trusted infrastructure.
The Perfect Disguise
Here’s the thing that makes this attack so sneaky: it’s not a hack of Google‘s systems. The bad guys are just using a tool exactly as it’s designed—to send automated email notifications. That means all the usual red flags we’re told to look for go out the window. The “from” address is pristine. The domain reputation is impeccable. Automated email security filters? They’re probably giving this a free pass because it’s literally coming from Google’s own house.
So the entire first line of defense is completely neutralized. It puts the entire burden of detection on the user, which is a losing battle. You get an email about a voicemail from a sender you trust. It looks normal. The link goes to a Google URL. At that point, why wouldn’t you click? That’s the psychological trick, and it’s brutally effective.
Beyond Just Email Security
This isn’t just another phishing alert. It’s a signal of a bigger shift in how cyberattacks are built. We’re moving past crude spoofing and into an era of “legitimate infrastructure abuse.” Attackers are renting cloud services, using official APIs, and leveraging trusted platforms as their attack vectors. The line between a legitimate business process and a malicious one is getting blurrier by the day.
And that has huge implications for business security. It means you can’t just rely on your email gateway to catch the bad stuff anymore. You need deeper layers, like robust multi-factor authentication (MFA) everywhere—because if a user does get tricked into entering a password, MFA is often the last roadblock. It also means security awareness training has to evolve. The old “check the sender address” advice is now insufficient. The new lesson is: “Trust no notification you didn’t explicitly request, no matter how real it looks.”
What Does This Mean For You?
Basically, question everything. Got a “voicemail” email from Google? Did you actually expect one? When you land on a login page, especially after clicking a link, always check the actual URL in the address bar. That fake Microsoft page won’t be on login.microsoft.com; it’ll be on some other domain. That’s your final clue.
Google says it’s taking steps to prevent further misuse of this specific tool, and that’s good. But the cat’s out of the bag. Other attackers will try this method, and they’ll target other cloud automation features across different platforms. The core vulnerability here isn’t a software bug; it’s the inherent trust we place in notifications from major platforms. And that’s a much harder problem to patch.
