Researchers warn that attackers are abusing Google’s personal notification infrastructure to ship extremely convincing phishing emails that bypass conventional e mail safety controls, impacting over 3,000 organizations worldwide.
Noticed in December 2025, the marketing campaign marks an escalation in trusted-platform abuse, utilizing respectable companies — not spoofed domains — to ship malicious messages.
Attackers “… are more and more abusing Google’s personal purposes and cloud infrastructure to ship phishing emails that look respectable, authenticate cleanly, and evade conventional safety controls,” RavenMail researchers mentioned in a weblog put up.
Contained in the Google Duties phishing marketing campaign
As an alternative of spoofing Google, attackers exploited Google’s Utility Integration service to generate respectable Google notification emails.
These messages contained acquainted motion buttons corresponding to View job and Mark full, carefully matching genuine Google Duties workflows and making them troublesome for customers to tell apart from actual system alerts. When recipients clicked the buttons, they have been redirected to phishing pages hosted at storage[.]cloud[.]google[.]com.
As a result of the hyperlinks resolved to a trusted Google-owned area, URL repute and domain-based filtering did not flag the exercise as suspicious.
The phishing pages themselves have been rigorously crafted to reflect Google Duties with excessive constancy, utilizing authentic-looking UI components, branded layouts, footer textual content, {and professional} formatting. This visible legitimacy diminished person suspicion and elevated the chance of credential submission.
The emails additionally used authority cues corresponding to All Workers, paired with urgency and minimal context, to immediate quick motion with out scrutiny.
With no malicious attachments, no exterior domains, and no authentication anomalies, conventional e mail safety controls had little sign to detect. Researchers observe this marketing campaign displays a broader pattern towards trusted-platform abuse.
Comparable assaults have leveraged Google Classroom, Google Types, and AppSheet to reap credentials by manipulating respectable enterprise workflows.
When trusted platforms develop into assault vectors
This marketing campaign underscores a rising shift towards living-off-the-land assaults inside trusted enterprise platforms.
Reasonably than counting on overtly malicious infrastructure, attackers repurpose respectable SaaS capabilities to ship phishing and social engineering at scale.
Comparable abuse has been noticed on platforms corresponding to Salesforce and Amazon SES, the place built-in messaging and automation options are leveraged to ship malicious messages whereas showing operationally regular.
As SaaS ecosystems develop into extra interconnected and deeply embedded in every day workflows, the assault floor is transferring away from conventional infrastructure vulnerabilities and towards enterprise logic, id belief, and workflow assumptions.
This evolution challenges safety groups to rethink detection and protection methods, focusing much less on the place a message comes from and extra on whether or not its habits aligns with anticipated use.
Defending in opposition to trusted SaaS abuse
Campaigns like these mix seamlessly into on a regular basis enterprise workflows, making them troublesome to detect utilizing area repute or signature-based controls alone.
Defending in opposition to this shift requires deeper visibility into how trusted instruments are getting used — and misused — throughout the group.
- Implement contextual e mail evaluation to detect anomalous workflows, corresponding to the usage of job or collaboration instruments for id, HR, or compliance actions.
- Implement workflow-level controls inside SaaS platforms to limit which companies can ship employee-facing requests or exterior notifications.
- Apply phishing-resistant authentication and conditional entry insurance policies to restrict the impression of credential compromise, even when customers work together with trusted platforms.
- Harden cloud storage and link-sharing insurance policies to forestall unauthenticated entry, credential harvesting, or sudden redirects from trusted domains.
- Allow post-delivery e mail detection and retroactive response capabilities to determine and remediate malicious messages after preliminary supply.
- Increase logging, id menace detection, and incident response playbooks to particularly deal with abuse of respectable SaaS companies and trusted infrastructure.
These steps assist detect anomalous workflows and restrict blast radius.
Editor’s observe: This text first appeared on our sister publication, eSecurityPlanet.com.
