Over 3,000 organisations, predominantly in manufacturing, fell sufferer to a complicated phishing marketing campaign in December 2025 that leveraged Google’s personal software infrastructure to bypass enterprise electronic mail safety controls.
Attackers despatched misleading messages from [email protected], marking a crucial shift in how menace actors exploit trusted platforms.
Not like conventional phishing makes an attempt that depend on area spoofing or compromised mail servers, this marketing campaign operated totally inside official Google programs.
The emails handed all customary authentication checks, SPF, DKIM, DMARC, and CompAuth, making a basic blind spot for typical electronic mail safety instruments.
How the Assault Labored
The phishing emails impersonated official Google Duties notifications, claiming to be inside job assignments requesting worker verification.
Recipients had been prompted with calls to motion equivalent to “View job” or “Mark full,” which redirected to a malicious web page hosted on Google Cloud Storage.
The assault exploited three crucial vulnerabilities in conventional safety fashions:
Trusted Sender Infrastructure: Emails originated from legitimate Google programs, inheriting Google’s excessive sender fame and near-universal allowlisting throughout organizations.
Excessive-Constancy Model Impersonation: The messages replicated Google Duties UI, branding, and acquainted notification buttons with putting accuracy, making them visually indistinguishable from official communications.
Payload on Trusted Domains: Quite than internet hosting malicious content material on suspicious domains, attackers leveraged Google Cloud Storage URLs, rendering URL reputation-based detection ineffective.
Most electronic mail safety platforms depend on sender fame, area belief, and authentication verification.
When all three components are official, as they had been right here, the e-mail bypasses detection.
The contextual mismatch of Google Duties being weaponised for HR verification, or official workflows triggering Cloud Storage redirects, stays invisible to traditional instruments.
Safety researchers at RavenMail detected the marketing campaign by analyzing intent and workflow context relatively than relying solely on sender credentials.
The e-mail displayed obvious behavioral inconsistencies: inside duties originating from exterior Google addresses, and Cloud Storage endpoints incompatible with official Google Duties operations.
This marketing campaign displays an rising sample during which attackers abuse Google’s personal cloud companies, together with AppSheet, Google Varieties, and Utility Integration, as supply mechanisms for phishing.
The menace extends past Google; any trusted SaaS platform with email-sending capabilities turns into a possible assault vector.
Organizations should evolve past trust-based electronic mail safety fashions towards intent-centric detection programs that analyze workflow legitimacy and contextual match, no matter sender fame.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
