Phishing campaign abuses Google Cloud services to steal Microsoft 365 logins
Attackers are sending very convincing fake βGoogleβ emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a look-alike Microsoft 365 sign-in page designed to harvest usernames and passwords.
Researchers found that cybercriminals used Google Cloud Application IntegrationβsΒ Send EmailΒ feature to send phishing emails from a legitimate Google address:Β noreply-application-integration@google[.]com.
Google Cloud Application Integration allows users to automate business processes by connecting any application with point-and-click configurations. New customers currently receive free credits, which lowers the barrier to entry and may attract some cybercriminals.
The initial email arrives from what looks like a real Google address and references something routine and familiar, such as a voicemail notification, a task to complete, or permissions to access a document. The email includes a link that points to a genuine Google Cloud Storage URL, so the web address appears to belong to Google and doesnβt look like an obvious fake.
After the first click, you are redirected to another Googleβrelated domain (googleusercontent[.]com) showing a CAPTCHA or image check. Once you pass the βIβm not a robot check,β you land on what looks like a normal Microsoft 365 signβin page, but on close inspection, the web address is not an official Microsoft domain.
Any credentials provided on this site will be captured by the attackers.
The use of Google infrastructure provides the phishers with a higher level of trust from both email filters and the receiving users. This is not a vulnerability, just an abuse of cloud-based services that Google provides.
Googleβs response
Google said it has taken action against the activity:
βWe have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Googleβs infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.β
Weβve seen several phishing campaigns that abuse trusted workflows from companies like Google, PayPal, DocuSign, and other cloud-based service providers to lend credibility to phishing emails and redirect targets to their credential-harvesting websites.
How to stay safe
Campaigns like these show that some responsibility for spotting phishing emails still rests with the recipient. Besides staying informed, here are some other tips you can follow to stay safe.
- Always check theΒ actual web addressΒ of any login page; if itβs not a genuine Microsoft domain, do not enter credentials.β Using a password manager will help because they will not auto-fill your details on fake websites.
- Be cautious of βurgentβ emails about voicemails, document shares, or permissions, even if they appear to come from Google or Microsoft.β Creating urgency is a common tactic by scammers and phishers.
- Go directly to the service whenever possible. Instead of clicking links in emails, open OneDrive, Teams, or Outlook using your normal bookmark or app.
- Use multiβfactor authentication (MFA) so that stolen passwords alone are not enough, and regularly review which apps have access to your account and remove anything you donβt recognize.
Pro tip:Β Malwarebytes Scam Guard can recognize emails like this as scams.Β You can upload suspicious text, emails, attachments and other files and ask for its opinion. Itβs really very good at recognizing scams.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!






