This phishing campaign abuses the 'Send Email' task within Google Cloud's Application Integration service, which allows sending custom email notifications from Google-owned domains (e.g., noreply-application-integration@google.com). Attackers leverage this legitimate automation feature to send phishing emails that bypass SPF and DMARC email authentication checks, increasing the likelihood of delivery to user inboxes. The emails mimic authentic Google notifications, such as voicemail alerts or file access permissions, using familiar formatting and language to reduce suspicion. Over a 14-day period in December 2025, attackers sent approximately 9,394 phishing emails targeting around 3,200 organizations worldwide, including European entities. The attack chain involves a multi-stage redirection starting from a link hosted on storage.cloud.google.com, redirecting to googleusercontent.com, where victims encounter a fake CAPTCHA designed to block automated security scanners. After passing this verification, users are directed to a counterfeit Microsoft login page hosted on a non-Microsoft domain, where credential harvesting occurs. The campaign targets sectors that commonly use automated notifications and shared document workflows, such as manufacturing, technology, financial services, professional services, and retail, but also extends to media, education, healthcare, energy, government, travel, and transportation. Google has responded by blocking the misuse of the Application Integration email feature and is implementing additional safeguards to prevent further abuse. This campaign exemplifies how attackers can exploit trusted cloud automation features to conduct large-scale phishing without traditional spoofing techniques.

For European organizations, this phishing campaign poses a significant risk of credential theft, potentially leading to unauthorized access to corporate systems, data breaches, and subsequent lateral movement within networks. Sectors heavily reliant on Google Cloud services and automated workflows—such as manufacturing, technology, finance, and professional services—are particularly vulnerable. Compromise of credentials could result in financial fraud, intellectual property theft, disruption of operations, and reputational damage. The use of legitimate Google domains to send phishing emails undermines traditional email security controls, increasing the likelihood of successful phishing attempts. Additionally, the multi-stage redirection and CAPTCHA verification reduce detection by automated security tools, increasing the risk of undetected compromise. Given the broad targeting and trusted nature of Google Cloud infrastructure, the campaign could affect a wide range of European organizations, including critical infrastructure and government entities, amplifying potential national security and economic impacts.

European organizations should implement advanced email security solutions capable of detecting phishing beyond SPF, DKIM, and DMARC, including heuristic and behavioral analysis to identify suspicious email content and links. Security teams should monitor for unusual email activity originating from legitimate cloud service domains and implement strict policies for handling automated notifications. User awareness training must emphasize the risks of phishing emails appearing to come from trusted cloud providers and the importance of verifying unexpected access requests or notifications. Multi-factor authentication (MFA) should be enforced on all critical systems, especially for cloud services and email accounts, to mitigate credential theft impact. Network defenders should deploy URL rewriting and sandboxing technologies to analyze links in emails before user clicks. Incident response plans should include procedures for rapid identification and containment of phishing incidents involving cloud service impersonation. Organizations should also collaborate with Google and other cloud providers to report abuse and stay informed about emerging threats exploiting cloud automation features.