Researchers uncovered a phishing campaign abusing Google Cloud Application Integration to send emails posing as legitimate Google messages.Check Point researchers have revealed a phishing campaign that abuses Google Cloud Application Integration to send emails impersonating legitimate Google messages. The attack uses layered redirection with trusted cloud services, user validation checks, and brand impersonation to evade detection and increase phishing success.The experts observed nearly 9,400 emails targeting approximately 3,200 customers over a two-week period.The messages were sent from the legitimate Google address noreply-application-integration@google.com, significantly increasing the likelihood of reaching end users’ inboxes.The phishing campaign abused Google Cloud’s Application Integration Send Email feature, a legitimate automation tool, to send emails from Google-owned domains without compromising Google itself. By misusing trusted cloud infrastructure, attackers bypassed sender reputation and domain-based defenses while impersonating authentic Google notifications. The emails closely mimicked Google’s style and referenced routine lures such as voicemail alerts or shared file access requests to prompt clicks. The attack used a multi-stage redirection chain: links first pointed to storage.cloud.google.com, then to googleusercontent.com with fake CAPTCHA checks to evade scanners, and finally to a counterfeit Microsoft login page on a non-Microsoft domain to harvest credentials.The multi-stage redirection flow is composed of the following phases:Initial click – The attack starts with a link on trusted storage.cloud.google.com, using a legitimate Google Cloud URL to build trust and avoid detection.Validation and filtering stage – The link redirects to googleusercontent.com, showing a fake CAPTCHA to evade automated scanners while letting real users continue.Final destination: credential harvesting – After the fake validation, users are sent to a counterfeit Microsoft login page on a non-Microsoft domain, where entered credentials are stolen.The campaign mainly targeted manufacturing and industrial firms, followed by technology/SaaS and finance organizations. Professional services and retail were also affected, with smaller impacts across media, education, healthcare, energy, government, and other sectors. Most victims were based in the United States, with significant activity in Asia-Pacific and Europe, and smaller shares in Canada, Latin America, the Middle East, and Africa. In LATAM, Brazil and Mexico were most affected. The activity shows how attackers can abuse legitimate cloud workflows to launch scalable phishing campaigns that appear fully legitimate.“This campaign highlights how attackers can misuse legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing. It reinforces the need for continued awareness, especially when emails include clickable links, even when the sender, domain, and infrastructure appear fully legitimate.” concludes the report published by Check PointBelow is Google’s statement on these attacks:“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Google Cloud Application)