From Inbox To Account Takeover In Three Clicks

May 21, 2026

Cybercriminals are running a phishing campaign that impersonates legitimate Google-generated notifications by abusing Google Cloud's Application Integration "Send Email" task to distribute emails from the address "[email protected]," which can bypass common email security checks such as DMARC and SPF and reach user inboxes.

The messages are formatted to resemble routine corporate alerts including voicemail notifications and shared file or permission requests, and during a 14-day period in December 2025 at least 9,394 phishing emails were sent to about 3,200 customers across organizations in regions including the United States, Asia-Pacific, Europe, Canada, and Latin America.

Targets include manufacturing, technology, financial, professional services, and retail organizations, along with sectors such as media, education, healthcare, energy, government, travel, and transportation, where automated notifications and document-sharing workflows are common and help the fraudulent communications appear believable

The attack chain uses a multi-stage redirection process beginning with links hosted on storage.cloud.google.com, which then redirect to googleusercontent.com to show fake CAPTCHA or image-based verification content intended to defeat automated scanners, and finally deliver victims to a counterfeit Microsoft login page on a non-Microsoft domain where entered credentials are captured.

The campaign also uses OAuth consent phishing by tricking victims into granting a malicious Azure Active Directory application delegated access to cloud resources such as Azure subscriptions, virtual machines, storage, and databases, and in some cases hosts fake login pages on Amazon Web Services S3 buckets; each stage leverages trusted infrastructure from providers including Google, Microsoft, and AWS, making detection at any single point more difficult and reflecting a focus on harvesting Microsoft 365 account credentials

Google has blocked the observed abuse of the Google Cloud Application Integration email notification feature and has indicated that additional measures are being implemented to prevent similar misuse in the future.

Source: https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

Commentary

Google states that it has addressed the risk presented, but the key for employers and others is to avoid the risk before it is discovered and fixed.

Modern phishing campaigns show why employees must not click links in unsolicited messages, even when those messages appear to come from well-known cloud providers or mimic routine business notifications such as voicemail alerts and document-sharing requests.

Attackers are abusing legitimate automation features in services like Google Cloud to send emails from real provider domains that can pass authentication checks and slip past technical filters into inboxes, making the sender and formatting look routine and trustworthy.

Once a user clicks a link, traffic is often funneled through several trusted domains, sometimes showing a fake CAPTCHA page, before landing on a convincing but fraudulent Microsoft 365 login screen or an OAuth consent prompt that quietly hands attackers ongoing access to email, files, and cloud resources.

Employers and other organizations cannot rely on brand recognition, sender reputation, or automated controls alone and should train users to stop and verify before interacting with any unexpected notification about payments, file access, password problems, or account alerts. This is especially true where the email arrives out of context or pressures immediate action.

Warning signs include generic or mismatched subject lines, links that resolve to domains unrelated to the supposed service, login or consent pages that differ slightly in layout or web address from normal portals, and notifications that do not match activity visible in the user's standard account dashboard.

Staff should be instructed to access cloud services via bookmarked URLs or official apps instead of embedded links. They should report suspicious messages to security teams, and confirm high-risk requests such as payment approvals or permission grants using secondary channels. This will help the organization detect these campaigns before the public alerts are published.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

From Inbox To Account Takeover In Three Clicks

We comment on how multi?stage phishing paths that begin with trusted cloud links can quickly lead users to fake login or consent pages.

No Room For Grooming: Protecting Teen Workers From Sexual Misconduct

A doctor stands accused of sexual exploitation of a teen worker. We comment on the code of conduct, training, and rapid-response expectations that help organizations stop grooming behavior.

Pregnancy, Paternalism, And The Price Of "Good Intentions"

A Texas establishment settles with the EEOC after a manager is accused of paternalism. We comment on why paternalistic scheduling and job changes for pregnant workers are often unlawful discrimination.

Due Diligence In Hiring: Protecting Assets When Applicants Have Prior Convictions

A former manager is convicted for defrauding Amazon. We comment on methods for combining criminal history checks, verification, and interviews to screen out high?risk candidates.

Are Employees Job Hugging? You Make The Call

A survey reveals that nearly 50 percent of U.S. employees are "job huggers". What does that mean, and do you agree? You make the call.