"Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud's Application Integration service to distribute emails. The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address ("noreply-application-integration@google[.]com") so that they can bypass traditional email security filters and have a better chance of landing in users' inboxes."
"The fact that these emails can be configured to be sent to any arbitrary email addresses demonstrates the threat actor's ability to misuse a legitimate automation capability to their advantage and send emails from Google-owned domains, effectively bypassing DMARC and SPF checks. "To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language," Check Point said."
Attackers abused Google Cloud Application Integration's Send Email task to distribute phishing messages from the legitimate address noreply-application-integration@google[.]com, enabling messages to bypass traditional email security filters. The campaign delivered 9,394 phishing emails targeting approximately 3,200 customers over a 14-day period in December 2025 across the U.S., Asia-Pacific, Europe, Canada, and Latin America. Messages mimicked routine enterprise notifications such as voicemail alerts and file access or permission requests and closely followed Google notification style and formatting to increase trust. The Send Email task supports up to 30 recipients but can be configured to send to arbitrary addresses, allowing threat actors to bypass DMARC and SPF checks and prompt recipients to click embedded links.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]