Google Tasks Feature Exploited in New Sophisticated Phishing Campaign

[Brownie2019]

Content source

https://gbhackers.com/google-tasks-feature-exploited/

Over 3,000 organisations, predominantly in manufacturing, fell victim to a sophisticated phishing campaign in December 2025 that leveraged Google’s own application infrastructure to bypass enterprise email security controls.

Attackers sent deceptive messages from noreply-application-integration@google.com, marking a critical shift in how threat actors exploit trusted platforms.

Unlike traditional phishing attempts that rely on domain spoofing or compromised mail servers, this campaign operated entirely within legitimate Google systems.

More here:

Google Tasks Feature Exploited in New Sophisticated Phishing Campaign

A phishing campaign in December 2025 that leveraged Google's own application infrastructure to bypass enterprise email security controls.

gbhackers.com

 

[Bot]

More here:

Google Tasks Feature Exploited in New Sophisticated Phishing Campaign

A phishing campaign in December 2025 that leveraged Google's own application infrastructure to bypass enterprise email security controls.

gbhackers.com

What stands out here is that this is not really a “Google Tasks hack”, but an abuse of a legitimate, trusted email-sending workflow inside Google’s cloud tooling.

What the reporting suggests (and why it slips past gateways)​

Multiple write-ups tie the December 2025 wave to attackers using Google Cloud Application Integration to send emails that genuinely originate from Google infrastructure. That means the messages can pass SPF/DKIM/DMARC and benefit from Google’s sender reputation.
Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog

Check Point reports 9,394 emails over roughly 14 days targeting about 3,200 recipients, sent from the legitimate-looking sender: noreply-application-integration@google.com.
Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog

This is enabled via the “Send Email” task in Application Integration, which can send to arbitrary recipients. Google’s documentation notes a per-task cap of 30 recipients, but attackers can simply iterate.
Source: Send Email task | Application Integration | Google Cloud Documentation

Typical lure and common delivery chain​

The theme varies (Google Tasks, “file access”, voicemail notifications), but the real advantage is trusted delivery plus trusted first-hop URLs.

Common patterns researchers describe:

• The email resembles a normal Google notification (buttons like “View task”, “Mark complete”, etc.).
  Source: [Dec 2025] How Attackers Are Abusing Google Infrastructure for Phishing
• A link chain such as:
  
  1. storage.cloud.google.com (trusted host)
  2. googleusercontent.com with a fake CAPTCHA or verification step (often to slow down scanners)
  3. Final landing on a fake Microsoft 365 login (or similar) to capture credentials
     Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog

Google reportedly blocked multiple campaigns abusing this capability and framed it as misuse of an automation feature, not a compromise of Google’s infrastructure.
Source: Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

Practical defenses​

For organizations​

• Don’t “implicitly trust” @google.com (or any major SaaS sender) for high-risk actions. Authentication is not the same as legitimacy in cases like this.
  Source: [Dec 2025] How Attackers Are Abusing Google Infrastructure for Phishing
• Add controls for this specific pattern:
  
  • Banner, warn, or quarantine messages from noreply-application-integration@google.com unless your org actually uses it.
  • Alert on Google-hosted first-hop links (example: storage.cloud.google.com) that ultimately lead to credential entry pages, especially Microsoft 365 lookalikes.
    Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog
• Reduce the payoff:
  
  • Enforce phishing-resistant MFA (FIDO2 security keys or passkeys) for M365 and your IdP.
  • Tighten conditional access and session/token controls to limit impact if credentials are captured.

For end users​

• Treat unexpected “Tasks/voicemail/file access” emails as suspicious even if they come from an authentic Google address.
  Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog
• Verify by opening the service directly via bookmarks (Tasks, Drive, Microsoft 365), not email buttons.
• If someone clicked and entered credentials:
  
  • Change the password immediately.
  • Revoke sessions/tokens and enable MFA if not already.
  • Report to IT/SOC and preserve the message including headers and the full URL chain.
  • Run an AV/EDR scan (credential theft is the main goal, but follow-on activity is always possible).

Bottom line​

This is a clean example of trusted-platform abuse: sender and authentication checks can look perfect, so defenses need to focus on whether the workflow makes sense and what the link chain is actually doing.
Source: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection - Check Point Blog

 

[Divergent]

The attack leverages "Living off the Land" (LotL) tactics, using trusted cloud services to deliver malicious payloads.

Vector (MITRE T1566.002)

Sender

noreply-application-integration@google[.]com

This is a legitimate Google service address used for enterprise automation, not a spoofed domain.

Authentication

Passes all checks (SPF/DKIM/DMARC) because it is sent by Google.

Lure & Social Engineering (MITRE T1598)

Theme

"Employee Verification" or "Task Assignment" impersonating Google Tasks.

Urgency

Prompts users to "View task" or "Mark complete".

Payload Delivery (MITRE T1027)

Hosting

Redirects to Google Cloud Storage

storage.googleapis[.]com

Evasion

Security gateways (SEGs) often whitelist Google domains, allowing the link to pass through.

Remediation & Defense (SANS/CISA Aligned)

Standard "block the sender" rules fail here because the sender is a shared Google service. You must pivot to Intent-Based Detection.

Behavioral Filtering (Logic Gap)

Configure your Secure Email Gateway (SEG) to flag the specific combination of sender and link destination:

IF Sender = noreply-application-integration@google[.]com

AND Body_Link contains

storage.googleapis[.]com (or similar blob storage)

THEN Quarantine for analysis.

Rationale

Legitimate Google Tasks notifications typically link to

tasks.google[.]com

or internal enterprise apps, not raw Cloud Storage buckets.

Visual Analysis (User Training)

Instruct users to scrutinize the "From" address on internal notifications.

Red Flag

An internal HR or IT task notification should come from your corporate domain (e.g., )

hr@yourcompany[.]com

or a specific SaaS app notification address, not the generic

noreply-application-integration@google[.]com

Threat Hunting (SIEM)

Search your email logs for the last 30 days for:

Sender

noreply-application-integration@google[.]com

Subject

Keywords like "Task", "Verification", "Review"

Action

Verify if any users clicked links pointing to googleapis.com hosted pages.

References

MITRE ATT&CK T1566 (Phishing), T1027 (Obfuscated Files/Information)

Source RavenMail / GBHackers

Affected Sectors Manufacturing, 3,000+ organizations

 

[Parkinsond]

Just knowledge stop such attack; there is no such a thing called "google task verification".
That simple.