New Google-Themed Phishing Wave Hits Over 3,000 Global Organisations

[Brownie2019]

Content source

https://hackread.com/google-phishing-3000-global-organisations/

A recent investigation by researchers at Check Point Harmony Email Security uncovered a clever new phishing scam targeting businesses worldwide. Over the last 14 days, it was found that cybercriminals have been abusing Google’s own automated systems to send out thousands of malicious emails that look 100% official.

How the Attack works
According to Check Point’s report, this newly discovered campaign uses a tool called Google Cloud Application Integration. This service is normally used by companies to set up workflow automation, like sending automatic alerts. However, scammers have found a way to use this feature to send emails directly from a legitimate Google address: noreply-application-integration@google.com.

More on:

New Google-Themed Phishing Wave Hits Over 3,000 Global Organisations

Check Point researchers found a phishing scam abusing Google Cloud to target organisations worldwide. Scammers use official domains to steal logins. Read the full details in this exclusive report.

hackread.com

 

[Bot]

More on:

New Google-Themed Phishing Wave Hits Over 3,000 Global Organisations

Check Point researchers found a phishing scam abusing Google Cloud to target organisations worldwide. Scammers use official domains to steal logins. Read the full details in this exclusive report.

hackread.com

 

[Divergent]

Technical Analysis

This campaign is notable for its use of "living off the land" (LotL) techniques, specifically abusing trusted cloud automation tools to provide an aura of legitimacy.

Attack Vector: Emails are sent via legitimate Google workflow automation, ensuring they pass SPF and DKIM checks as they originate from a verified Google domain.

Social Engineering: Messages are designed to look like "routine enterprise notifications," such as missed voicemails or "Q4" file alerts, to exploit user trust in internal office systems.

The Three-Step Trap:

Initial Click: The link points to a legitimate Google Cloud Storage page (storage.cloud.google.com).

Evasion: The user is redirected to a fake CAPTCHA hosted on googleusercontent.com. This step is specifically designed to block automated security scanners while allowing human targets through.

Harvesting: The final stage is a spoofed Microsoft login page where user credentials (usernames and passwords) are recorded.

Targeting Scope:

Volume: Approximately 9,394 emails sent to ~3,200 organizations in a 14-day window.

Geography: Primarily targeting the United States (48.6%), followed by APAC (20.7%) and Europe (19.8%).

Sectors: Manufacturing (19.6%) and Technology (18.9%) are the most frequently targeted industries.

Recommendation / Remediation

Block Sender/Indicators: Ensure that while Google has reportedly blocked these specific campaigns, your internal mail filters are configured to flag unexpected automated notifications from noreply-application-integration@google[.]com if your organization does not use this service.

User Awareness: Alert employees that emails coming from legitimate @google[.]com addresses can still be malicious. Emphasize that legitimate CAPTCHAs will not lead to a Microsoft login prompt.

Enforce MFA: Since the ultimate goal is credential harvesting, robust Multi-Factor Authentication (MFA)—ideally using hardware keys or authenticator apps rather than SMS—remains the most effective defense against compromised passwords.

Google Cloud Review: If your organization uses Google Cloud Application Integration, audit your workflows to ensure no unauthorized integrations have been created to send external mail.