A new phishing campaign has been uncovered in which cybercriminals are abusing Google Cloud services to steal Microsoft 365 login credentials, according to a recent study conducted by Check Point Software Technologies. The campaign highlights how attackers are increasingly exploiting trusted cloud platforms to bypass security controls and deceive users into handing over sensitive information.
According to the report, the threat actors are misusing Google Cloud Application Integration to host and distribute phishing infrastructure. By leveraging the name and reputation of a legitimate and widely trusted technology company, the attackers were able to evade traditional spam filters and security detection mechanisms. The campaign primarily targeted organizations operating in the manufacturing and technology sectors, although some victims were also identified in the financial services industry, including banking and insurance firms.
One of the key reasons this campaign proved effective is the use of realistic and seemingly routine email subject lines. These included messages such as requests for document access permissions, task reminders, or voicemail notifications—emails that employees commonly receive in day-to-day business operations. Because the emails appeared familiar and were delivered via reputable cloud services, they raised little suspicion among recipients.
When victims clicked on the embedded links, they were redirected to a page displaying a CAPTCHA challenge or an “I’m not a robot” verification prompt. This step was intentionally added to lend legitimacy to the process and to reassure users that the page was secure. Once the CAPTCHA was completed, users were taken to a fraudulent Microsoft 365 login page designed to closely mimic the legitimate sign-in portal. Any credentials entered on this page were immediately harvested by the attackers.
Check Point researchers noted that the use of cloud-based workflow automation tools played a significant role in helping the attackers scale their operations while avoiding detection. Since the infrastructure was hosted on Google Cloud, many security systems failed to flag the activity as malicious, allowing the campaign to remain active longer than traditional phishing attempts.
In response to the findings, Google confirmed that it has blocked the phishing campaign and taken steps to prevent further misuse of its Cloud Application Integration services. The company stated that it is continuing to identify and disrupt malicious actors who exploit its platforms or impersonate trusted brands to deceive users. Google also reiterated its commitment to improving security controls and protecting customers from abuse of its cloud ecosystem.
From a user awareness perspective, cybersecurity experts emphasize the importance of vigilance. Individuals and organizations are advised to carefully verify URLs before entering login credentials, especially when prompted via email links. Subtle signs such as misspellings, extra characters, duplicated letters, or unusual domain extensions can indicate a malicious website. Additionally, enabling multi-factor authentication (MFA) and conducting regular phishing awareness training can significantly reduce the risk of compromise.
The campaign serves as a reminder that even trusted cloud platforms can be weaponized by threat actors, making cybersecurity awareness and resilience more critical than ever.
Join our LinkedIn group Information Security Community!
