Cybercriminals have found a sophisticated new method for sending phishing emails that land directly in your inbox.
Instead of pretending to be a well-known brand, they are taking advantage of legitimate cloud tools that people generally trust. Recent findings from security experts indicate that attackers have compromised an actual email function within Google Cloud.
This breach resulted in thousands of phishing emails that mimicked standard Google notifications, many of which bypassed spam filters without a hitch.
Understanding the Google Cloud Phishing Attack
The crux of the attackers’ strategy lies in Google Cloud application integration—this feature enables businesses to automate email alerts as part of their workflows. The cybercriminals manipulated an email sending task within this system. Since the messages originated from legitimate Google addresses, they appeared genuine to both users and automated security systems.
Check Point, a prominent global cybersecurity organization, reported that these emails appeared authentic, closely resembling Google’s usual notification style in terms of font, wording, and layout. Over a span of two weeks in December 2025, attackers dispatched over 9,000 phishing emails, targeting approximately 3,200 organizations across the United States, Europe, Canada, Asia Pacific, and Latin America.
Why the Google Phishing Emails Are So Believable
The phishing messages often seemed just like standard workplace warnings. Some individuals reported receiving voicemails, while others saw notifications about shared documents like Q4 files. This sense of normalcy made it easier for recipients to ignore their suspicions. Additionally, since the emails were sent from Google’s infrastructure, they dodged common protective measures like SPF and DMARC protocols, making them even less suspicious.
Consequences of Clicking on the Links
The phishing attack extended beyond email. When a victim clicks on a provided link, they were led to a page at storage.cloud.google.com, which created an added layer of trust. The link would then redirect them to googleusercontent.com. A fake CAPTCHA or image check was shown at this point, designed to deter automated security systems while still allowing human users to continue. After clearing this step, victims would land on a counterfeit Microsoft login page hosted on a non-Microsoft domain, where any credentials entered would be harvested by the attackers.
Targeted Industries
According to Check Point, the campaign particularly targeted sectors that depend on automated alerts and shared documentation, such as manufacturing, technology, finance, professional services, and retail. Other affected areas included healthcare, education, government, energy, travel, and media. In these settings, recurring permission requests and file-sharing notifications made the scam feel routine.
A Google representative stated that they have thwarted several phishing efforts exploiting the email notification feature. They also emphasized that this activity is due to the misuse of automation tools rather than a breach of Google’s infrastructure. Users are encouraged to stay cautious as malicious actors often impersonate trusted brands. Google is taking further measures to thwart such abuses.
How to Shield Yourself from Trustworthy-Looking Phishing Emails
Phishing emails are increasingly challenging to recognize, particularly as attackers exploit legitimate cloud services like Google Cloud. Here are some strategies to mitigate risk, especially when receiving emails that seem authentic.
1) Take Your Time Before Reacting
Cybercriminals thrive on a sense of urgency. Alerts about voicemails, shared files, or permission changes are designed to prompt quick action. Before clicking, pause and consider whether you were actually expecting that notification. If not, check through another method.
2) Examine Links Before Clicking
Hover over any links to preview the destination domain. In this case, the link passed through multiple seemingly legitimate Google domains before landing on a fraudulent login page. If the final destination doesn’t match the service you need to log into, exit the page immediately.
3) Be Wary of File Access and Permission Emails
Alerts for shared documents tend to feel commonplace in the workplace. If you receive an email stating that you’ve been granted access to a file you don’t recognize, refrain from clicking directly on the link. Instead, open your browser and manually log into your Google Drive or OneDrive to verify any new files.
4) Use a Password Manager
Password managers act as a crucial line of defense. They won’t automatically fill in your credentials on counterfeit login pages hosted on unauthorized domains. If your password manager refuses to enter your information, that’s a significant warning sign.
It’s also wise to check if your email has been involved in a past data breach. A reputable password manager can scan for this, alerting you if your email or password appears in a known breach. Take immediate action to change any reused passwords if there’s a match.
5) Invest in Strong Antivirus Software
Modern antivirus programs do more than just scan for malware. Many can also detect malicious links and fraudulent login pages in real time. Quality antivirus software can protect against phishing attacks, even after alerts have already been clicked, which is crucial for staged attacks.
To safeguard against harmful links that might introduce malware or steal personal information, ensure you have robust antivirus protection on all your devices.
6) Consider Using Data Deletion Services
Phishing schemes often succeed because attackers gather information such as your email address or job title from data broker websites. Data deletion services aim to eliminate your personal information from these sites, making it harder for attackers to craft convincing emails.
While no service can promise to remove all your data from the web, using a reliable data deletion service can offer significant peace of mind by systematically monitoring and removing your information from numerous sites.
7) Enable Two-Factor Authentication (2FA)
Even if an attacker manages to steal your password, two-factor authentication offers extra protection. Utilize app-based authentication or hardware security keys, especially for work-related emails and cloud storage accounts.
8) Report Suspicious Emails Promptly
If you notice something off, please report it. Inform your IT or security team about suspicious alerts to help them notify other departments. Acting quickly can prevent further phishing attacks from spreading within your organization.
This phishing campaign underscores the ever-evolving tactics of cybercriminals. Instead of cloaking themselves in fake brands, attackers are now directly exploiting widely trusted cloud services. As automation becomes even more routine, maintaining security awareness is critical. Emails that create urgency or prompt credential requests should always be scrutinized.
