In this campaign, attackers begin by directing victims through a seemingly legitimate workflow that gives the attack an air of authenticity. The initial link sends users to content hosted on googleusercontent[.]com, a trusted Google-controlled domain, which helps lower suspicion.
At that stage, users are presented with a fake CAPTCHA or image-based verification screen. This step serves two purposes. First, it blocks automated scanners and many security tools from inspecting the phishing infrastructure. Second, it allows real users to continue without realizing anything is wrong.
Once the verification step is completed, victims are redirected to a fraudulent Microsoft sign-in page. Although the page closely resembles an official Microsoft login portal, it is hosted on a domain that has no affiliation with Microsoft. Any credentials entered on this page are immediately captured by the attackers.
Google Takes Action Against the Abuse
Following the discovery of the campaign, Google confirmed that it has blocked the phishing activity that exploited its Google Cloud Application Integration email notification feature. The company also stated that additional safeguards are being implemented to prevent similar abuse going forward.
Industries Most Affected
According to analysis by Check Point, the campaign has mainly targeted organizations in manufacturing, technology, financial services, professional services, and retail. However, attackers have also attempted to reach victims in other sectors, including media, education, healthcare, energy, government, travel, and transportation.
These industries are particularly vulnerable because they frequently rely on automated notifications, shared documents, and permission-based workflows. As a result, Google-branded alerts blend naturally into everyday operations, making them especially convincing.
Why This Campaign Is Concerning
This activity demonstrates how threat actors can weaponize legitimate cloud automation tools to distribute phishing messages at scale. Rather than relying on traditional email spoofing, attackers are abusing trusted platforms and workflows, making detection and user awareness far more difficult.
The campaign highlights a growing challenge for defenders: phishing attacks no longer need fake branding or suspicious infrastructure to succeed. When trusted cloud services are misused, even experienced users may struggle to tell the difference between a real notification and a malicious one.