Check Point researchers have identified a phishing campaign exploiting Google Cloud Application Integration, in which the “Send Email” task is leveraged to send messages to random recipients. Due to the use of this service, the malicious emails appear to be sent from trusted Google infrastructure. Furthermore, the contents of the emails mimic routine notifications (such as permission requests), making them appear legitimate and trustworthy to targets. 

“This behavior suggests a misuse of legitimate cloud automation capabilities to impersonate authentic Google notifications while bypassing traditional sender reputation and domain based detection controls,” the research states. 

Within the 14 days before Dec. 22, the research discovered 9,394 phishing emails sent. These emails targeted around 3,200 customers. 

“The exploitation of Google Cloud’s Application Integration service underscores a critical vulnerability inherent in trusted cloud automation platforms, where attackers weaponize the very tools designed to streamline enterprise connectivity,” says Jason Soroko, Senior Fellow at Sectigo. “While development and IT teams legitimately utilize this integration-platform-as-a-service to synchronize data across disparate SaaS applications and orchestrate complex business workflows, threat actors have successfully subverted its ‘Send Email’ function to launch high-fidelity phishing attacks from an authoritative Google domain.” 

By industry, this campaign primarily targets finance/banking/insurance (14.8%), technology/SaaS (18.9%), and manufacturing/industrial (19.6%). Professional services/consulting and retail/consumer were also targeted frequently, accounting for 10.7% and 9.1%, respectively. As these industries often utilize automated permission-based workflows, shared files, and notifications in daily operations, this phishing campaign is especially convincing. 

“IT and DevOps teams use application integration and other cloud automation services a lot to automate real business processes, like system notifications, permission requests, onboarding messages, and operational warnings, without any help from people,” says Randolph Barr, Chief Information Security Officer at Cequence Security. “This campaign doesn’t show that the cloud provider failed; it indicates that there is a gap in shared responsibilities. IT teams typically regulate access to these services, DevOps teams create and manage the workflows, and security teams establish guidelines for their use and monitor potential misuse. If such responsibilities aren't in sync, people can exploit trusted automation in ways that extend beyond standard security measures.” 

The research illustrates these attacks depend on the following multi-stage redirection flow: 

1. Initial Click: The target clicks on a link hosted on a trusted Google Cloud service. 
2. Validation/Filtering Stage: The target is redirected to a false image-based verification to block security tools. 
3. Credential Harvesting: The target is redirected to a false Microsoft login page, in which their inputted credentials are harvested. 

Advice for Organizations 

Soroko suggests, “Because these communications originate from verified infrastructure and inherently bypass standard SPF and DMARC filters, organizations must pivot from reliance on gateway reputation checks to a more granular defense strategy that includes advanced content analysis to inspect message payloads and rigorous security awareness training to help employees scrutinize unexpected voicemail or permission requests regardless of the sender's technical authenticity.” 

Barr adds, “To reduce risk, companies should limit who can set up external emails, use least-privilege access to automation services, and keep track of and report workflow activities like any other API or non-human identity. Security teams also need to understand how automation features are utilized. At the same time, IT and DevOps teams will need guardrails built into configuration and code. Default implementations of cloud services need to be changed.”