Scammers have figured out a way to send phishing emails from the official @google.com domain — and they’re doing it by abusing Google Cloud’s automation tools. Because the emails come from a legitimate Google address, they’re dodging security filters and landing straight in inboxes across thousands of organisations.
If you get an email from noreply-application-integration@google.com, don’t automatically trust it. It might be legit… or it might be a scammer using Google’s own tech against you.
A Large-Scale Google Phishing Campaign
Researchers at Check Point Harmony Email Security spotted the campaign and found that attackers sent nearly 9,400 phishing emails to around 3,200 customers in just two weeks. All of them came from that legitimate Google email address.
The phishing emails consist of the typical traits, a workplace-related document, an email from a “colleague” asking for access permissions etc.
The real danger in this campaign is that the initial links actually point to real Google infrastructure. It’s only after a series of redirects that victims end up on a malicious credential-harvesting site.
Google has acknowledged the abuse and says it has already blocked several campaigns misusing the email-notification feature in Google Cloud Application Integration. The key detail: Google wasn’t hacked — attackers simply misused a workflow automation tool.
Google has put extra protections in place, but as always, they warn users to stay cautious because attackers will keep trying to spoof trusted brands.
How Attackers Make Fake Emails Look Like They’re From Google
Google Cloud’s “Send Email” feature is designed for teams to send automated notifications — system alerts, reports, workflow updates, etc. But scammers have taken advantage of it to send emails from Google’s own domain without needing to breach Google at all.
The phishing emails copy Google’s style down to the formatting and tone. They use familiar lures too — voicemail messages, shared files, failed payments, bonuses, you name it.
Once you click, you’re sent through a chain of redirects starting from real Google Cloud services, then through pages on googleusercontent.com, complete with CAPTCHAs to fool security scanners. Eventually, you end up on a fake Microsoft login page designed to steal your credentials.
What This Means
This campaign shows a big shift: even emails that look 100% legitimate, from a real domain, hosted on trusted infrastructure, can still be part of a phishing attack. Traditional “check the sender” advice just isn’t enough anymore. We can only expect scammers and threat actors to use more and more sophisticated methods like this as our cyber security measures also progress. Your best bet is to stay aware of these developments, like a laptop doing updates.
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
