- Attackers abused Google Cloud Application Integration to send phishing emails from legitimate Google domains.
- Emails imitate Google notifications, redirecting victims to trusted services
- Nearly 3,200 companies targeted; most victims in the manufacturing, technology and financial sectors in the United States
Google’s legitimate services are once again falling victim to phishing attacks, tricking targets into clicking on malicious links and disclosing their login credentials.
In a recently released report, cybersecurity researchers at Check Point said they saw nearly 10,000 emails sent to about 3,200 companies in two weeks.
All messages were sent from the [email protected] email account, which means the attackers were abusing Google Cloud Application Integration.
Targeting the manufacturing industry in the United States
It is a managed Google Cloud service that connects applications, APIs, and data sources without the need to write custom code. It allows organizations to automate workflows between cloud services, SaaS applications and internal systems using predefined connectors, triggers and actions. Emails generated through Google Cloud Application Integration often originate from Google-owned infrastructure and domains, which means they are sent as part of an automated workflow and may inherit Google’s strong sending reputation.
In phishing campaigns, bad actors can create or compromise a Google Cloud project and set up an integration workflow that sends emails through Gmail APIs or other connected email services. In other words, this is simple abuse and not a violation of Google’s infrastructure.
To make the emails even more plausible, the attackers ensured that the messages faithfully followed Google’s style, language and notification format. Common lures include waiting voicemails or notifications about sharing a document.
The link shared in these emails leads to storage.google.cloud.com which is a trusted Google Cloud service. However, it then redirects to googleusercontent.com, where they have to pass a fake CAPTCHA designed to block security scanners. Finally, victims are redirected to a fake Microsoft login page, where they may be tricked into revealing their login credentials.
The majority of victims resided in the United States (48.6%), worked in manufacturing/industrial (19.6%), technology/SaaS (18.9%), and finance/banking/insurance (14.8%).
Google told Check Point that “several phishing campaigns” abusing Google Cloud app integration were already blocked.
“It is important to note that this activity resulted from abuse of a workflow automation tool and not from a compromise of Google’s infrastructure. While we have protections in place to defend users against this specific attack, we encourage caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further abuse,” Google concluded.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
