Executive Summary

A newly identified, highly sophisticated phishing campaign is actively exploiting the Google Cloud Application Integration email feature to deliver multi-stage phishing attacks. Cybercriminals are leveraging the trusted Google infrastructure to send phishing emails from legitimate Google domains, effectively bypassing traditional email security controls such as SPF, DKIM, and DMARC. The campaign employs a multi-stage redirection chain, utilizing both Google Cloud Storage and Googleusercontent domains, before ultimately harvesting Microsoft 365 credentials or abusing OAuth consent flows to gain persistent access to victim environments. This campaign has targeted a broad spectrum of industries and geographies, demonstrating advanced tactics, techniques, and procedures (TTPs) that blend social engineering with cloud service abuse. The scale, technical sophistication, and abuse of trusted cloud services make this campaign a critical threat to organizations worldwide.

Threat Actor Profile

Attribution for this campaign remains unconfirmed, with no direct links to known advanced persistent threat (APT) groups. However, the operational sophistication, use of multi-cloud infrastructure, and advanced evasion techniques are consistent with both financially motivated cybercriminal groups and state-sponsored actors. The threat actors demonstrate a deep understanding of cloud service automation, email authentication bypass, and user behavior manipulation. Their infrastructure is highly dynamic, leveraging ephemeral cloud resources and frequently rotating phishing domains, which complicates takedown and detection efforts. The campaign’s global reach and sectoral diversity suggest a broad targeting strategy, likely aimed at maximizing credential theft and subsequent access to high-value cloud resources.

Technical Analysis of Malware/TTPs

The attack chain begins with a phishing email sent from noreply-application-integration@google.com, a legitimate sender address provisioned by the Google Cloud Application Integration “Send Email” task. These emails are crafted to mimic authentic Google notifications, such as shared document alerts or voicemail messages, and are often indistinguishable from genuine communications. Because the emails originate from Google infrastructure, they pass SPF, DKIM, and DMARC checks, allowing them to evade most email security gateways.

Embedded within the email is a hyperlink pointing to a Google Cloud Storage URL (e.g., https://storage.cloud.google.com/...). This first-stage redirection leverages the inherent trust in Google domains to bypass URL filtering and sandboxing solutions. Upon clicking the link, the victim is redirected to a googleusercontent.com domain, where a fake CAPTCHA or image-based verification is presented. This step is designed to thwart automated security scanners and ensure only real users proceed.

After passing the CAPTCHA, the victim is redirected to a phishing site, often hosted on AWS S3 or another cloud provider, which impersonates the Microsoft 365 login page. The phishing page is highly convincing, capturing entered credentials in real time. In some variants, the attack chain includes an OAuth consent phishing step, where the victim is prompted to grant permissions to a malicious Azure AD application. If successful, this grants the attacker persistent access to the victim’s Microsoft 365 environment, including email, files, and cloud resources, via delegated permissions and refresh tokens.

The campaign’s infrastructure is highly modular, with each stage hosted on a different cloud service to maximize resilience and complicate detection. The use of legitimate cloud automation features, such as Google Cloud Application Integration, represents a significant evolution in phishing TTPs, as it allows attackers to weaponize trusted SaaS platforms without exploiting traditional software vulnerabilities.

Exploitation in the Wild

This campaign has been observed at significant scale, with over 9,000 phishing emails sent to more than 3,000 organizations in a two-week period, according to open-source threat intelligence. The attacks have been reported across North America, Europe, Asia-Pacific, Latin America, and the Middle East. Sectors targeted include manufacturing, technology, finance, professional services, retail, media, education, healthcare, energy, government, travel, and transportation.

Victims report receiving emails that appear to originate from Google, with subject lines referencing shared files, voicemail alerts, or urgent account actions. The emails are often personalized, increasing their likelihood of success. Security researchers have documented successful credential harvesting and unauthorized OAuth consent grants, leading to subsequent business email compromise (BEC), data exfiltration, and cloud resource abuse.

The campaign’s use of Google and AWS infrastructure for redirection and hosting has allowed it to evade many traditional security controls. Incident response teams have noted that the phishing URLs remain active for only short periods, with rapid rotation to new cloud resources, further complicating detection and remediation.

Victimology and Targeting

Analysis of available data indicates that the campaign is opportunistic, with a focus on organizations using Microsoft 365 and Google Workspace. The most heavily targeted sectors are manufacturing, technology, and finance, but significant activity has also been observed in healthcare, education, government, and professional services. The geographic distribution is global, with the United States, Europe, and Asia-Pacific regions most affected.

Victims are typically mid- to large-sized enterprises, but small businesses and public sector organizations have also been targeted. The attackers appear to prioritize organizations with valuable intellectual property, financial assets, or access to critical infrastructure. The use of personalized lures and contextually relevant email content suggests that the threat actors conduct at least basic reconnaissance prior to launching attacks.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by this campaign. Email security teams should monitor for and, where appropriate, block emails originating from noreply-application-integration@google.com, especially if the Google Cloud Application Integration feature is not in use within the organization. Security operations should enhance monitoring for unusual OAuth consent grants in Azure AD and investigate any unexpected application permissions.

User awareness training is critical. Employees should be educated to recognize suspicious Google notifications, especially those requesting urgent action or credential input. Simulated phishing exercises can help reinforce this training.

Technical controls should include enhanced URL filtering capable of analyzing links to Google Cloud Storage, googleusercontent.com, and other cloud-hosted resources. Security teams should monitor for user logins from suspicious domains or IP addresses, particularly following receipt of Google-branded notifications. If credential compromise is suspected, immediate password resets and revocation of OAuth tokens are essential. Administrators should regularly review and revoke unnecessary or suspicious Azure AD application consents.

Incident response plans should be updated to account for cloud-based phishing and OAuth abuse scenarios. Integration with threat intelligence feeds that track cloud-based phishing infrastructure can improve detection and response times.

References

The following open-source resources provide additional technical details and analysis:

• The Hacker News: Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

• Check Point Research: Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection

• Security Affairs: Phishing campaign abuses Google Cloud Application to impersonate legitimate Google emails

• xorlab: Credential harvesting and OAuth consent phishing using Google and AWS infrastructure

• MITRE ATT&CK Techniques

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our platform leverages advanced analytics, automation, and threat intelligence to deliver actionable insights and proactive risk reduction. For more information about how Rescana can help your organization strengthen its cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.