Cybersecurity researchers have uncovered a sophisticated phishing campaign exploiting Google Cloud’s Application Integration email feature to harvest Microsoft 365 credentials from unsuspecting users. Unlike conventional phishing attempts, these emails were sent from legitimate Google addresses, making them harder for security filters and users to identify as malicious.
The campaign, reported by Check Point, leveraged the trust associated with Google Cloud infrastructure. Attackers used the built-in “Send Email” function of Application Integration to send messages from addresses like “noreply-application-integration@google[.]com.” Because the emails originate from Google-owned domains, they bypassed standard DMARC and SPF protections, allowing them to reach inboxes with minimal interference. The messages were designed to resemble routine enterprise notifications, including voicemail alerts, document access requests, and file-sharing permissions, creating a convincing pretext for recipients to engage with the content.
Check Point’s investigation observed that over a 14-day period in December 2025, roughly 9,394 phishing emails were distributed targeting 3,200 organizations across the U.S., Asia-Pacific, Europe, Canada, and Latin America. The campaign primarily focused on sectors that rely heavily on automated notifications, shared files, and permission-based workflows, including manufacturing, technology, finance, professional services, and retail. Other industries, including media, education, healthcare, energy, government, travel, and transportation, were also affected. The researchers noted that the use of Google-branded formatting, familiar language, and routine notification styles further enhanced the perceived legitimacy of the emails.
Once a recipient clicked a link, the attack chain involved multiple redirection stages. Initial clicks directed users to storage.cloud.google[.]com, a trusted Google Cloud service, before redirecting them to googleusercontent[.]com, where fake CAPTCHA or image verification pages blocked automated scanners while allowing real users to proceed. After passing this validation, users were taken to counterfeit Microsoft login pages hosted on non-Microsoft domains, where entered credentials were harvested.
Further analysis by xorlab and Ravenmail highlighted that the attacks also included OAuth consent phishing. Victims could inadvertently grant a malicious Azure AD application access to cloud resources, including subscriptions, virtual machines, storage, and databases. The attack’s multi-cloud approach, using Google, Microsoft, and AWS infrastructure, made detection difficult at any single point, while maintaining a consistent focus on stealing Microsoft 365 credentials.
In response, Google has blocked the misuse of the Application Integration email feature and is implementing additional safeguards to prevent similar campaigns. Security experts emphasize that this campaign demonstrates how attackers can weaponize trusted cloud automation and workflow tools to conduct large-scale phishing without traditional spoofing, underlining the importance of vigilance, multi-factor authentication, and user training to reduce credential compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
