- Attackers abused Google Cloud Application Integration to send phishing emails from legitimate Google domains
- Emails mimicked Google notifications and redirected victims through trusted services
- Almost 3,200 companies targeted; most victims in US manufacturing, technology and financial sectors
Legitimate Google services are once again being abused in phishing attacks, successfully tricking targets into clicking on malicious links and giving away their login credentials.
In a recently released report, cybersecurity researchers from Check Point said they have seen nearly 10,000 emails sent to about 3,200 companies over the course of two weeks.
All the messages were sent from the [email protected] email account, which means the attackers abused Google Cloud Application Integration.
Targeted production in the USA
This is a managed Google Cloud service that connects applications, APIs and data sources without having to write custom code. It lets organizations automate workflows between cloud services, SaaS apps and internal systems using pre-built connections, triggers and actions. Emails generated through Google Cloud Application Integration often originate from Google-owned infrastructure and domains, meaning they are sent as part of an automated workflow and can inherit Google’s strong sender reputation.
In phishing campaigns, threat actors can create or compromise a Google Cloud project and configure an integration workflow that sends emails via Gmail APIs or other connected email services. In other words, this is simple abuse – not a breach of Google’s infrastructure.
To make the emails seem even more plausible, the attackers made sure that the messages closely followed Google’s notification style, language and formatting. The most common lures include waiting voicemail messages or notifications to share a document.
The link shared in these emails leads to storage.google.cloud.com, which is a trusted Google Cloud service. But it then redirects to googleusercontent.com where they have to pass a fake CAPTCHA built to block security scanners. Eventually, victims are redirected to a fake Microsoft login page where they can trick them into giving away their login details.
The majority of victims were in the US (48.6%), working in manufacturing/industrial (19.6%), technology/SaaS (18.9%), and finance/banking/insurance (14.8%).
Google told Check Point that “several phishing campaigns” exploiting Google Cloud Application Integration were already blocked.
“Importantly, this activity stems from abuse of a workflow automation tool, not a compromise of Google’s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors often attempt to counterfeit trusted brands. We are taking additional steps to prevent further abuse,” Google concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
