1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

Microsoft 365 credentials

A new phishing campaign is exploiting trusted cloud infrastructure-and it changes the threat model entirely.

Attackers are abusing Google Cloud services to bypass traditional email security controls and steal Microsoft 365 credentials. Any organisation running Microsoft 365 is a potential target.

This is not classic phishing. This is trusted cloud abuse.

Phishing attacks no longer rely on suspicious domains or spoofed senders. They now originate from legitimate cloud platforms.

Trust itself has become the attack vector.

The Core Problem

Threat actors are abusing Google Cloud workflow automation tools to send phishing emails that:

  • Appear authentic
  • Pass SPF, DKIM, and DMARC checks
  • Bypass secure email gateways

The emails originate from verified Google addresses, using allowed features and legitimate infrastructure.

No spoofing. No compromised servers. No obvious indicators of malicious activity.

This fundamentally shifts how phishing campaigns evade detection.

Why This Attack Works

Most email security systems inherently trust Google-owned domains. End users trust them even more.

In this campaign:

  • Emails are sent from legitimate Google addresses
  • The sender reputation is clean
  • Security controls behave exactly as designed

Because nothing is technically “wrong,” the messages are delivered without friction.

The abuse happens entirely within permitted Google Cloud workflows.

How the Phishing Campaign Operates

Stage 1: Abuse of Google Cloud Application Integration

The attack begins inside Google Cloud Application Integration.

Threat actors use the Send Email feature to distribute phishing messages that blend into normal business traffic.

Common lures include:

  • Voicemail notifications
  • Document access or permission alerts
  • Routine account or workflow messages

Nothing appears suspicious. That is intentional.

Stage 2: Trust Reinforcement via Google Infrastructure

Clicking the link does not immediately expose the victim.

Instead:

  1. The user is redirected to Google Cloud Storage
  2. Then to a googleusercontent.com domain

At each step, trust is reinforced:

  • The domains are legitimate
  • The infrastructure is owned by Google
  • URL reputation filters see no risk

Stage 3: CAPTCHA-Based Filtering

Before reaching the final destination, users encounter a CAPTCHA or robot check.

This serves two purposes:

  • Blocks automated security scanners
  • Conditions the user to comply and continue

Only human users proceed beyond this point.

Stage 4: Credential Harvesting

After the CAPTCHA, the final redirection occurs.

The victim lands on a convincing Microsoft 365 login page.

Credentials entered here are captured instantly.

At this stage, trust has already been established-both technically and psychologically.

Why Detection Is Failing

Every step in the attack chain uses legitimate Google-owned domains.

As a result:

  • Email gateways allow delivery
  • URL scanners see trusted infrastructure
  • Security crawlers find no obvious indicators
  • Users hesitate to question the legitimacy

By the time the fake Microsoft 365 login page appears, suspicion is already disarmed.

Impact on Organisations

Compromised Microsoft 365 credentials enable:

  • Email account takeover
  • Sensitive data theft
  • Lateral movement
  • Internal phishing expansion

This attack scales rapidly.

Researchers, including Malwarebytes, have noted that free Google Cloud credits significantly lower the barrier to entry. Attackers can spin up new campaigns quickly, cheaply, and repeatedly.

Cloud interoperability amplifies the risk.

Google’s Response

Google has acknowledged the abuse and has already disrupted multiple campaigns.

Importantly:

  • This is not a breach of Google’s infrastructure
  • It is the misuse of legitimate automation features

That distinction matters.

It also means similar abuse patterns can reappear-across Google Cloud or other trusted platforms.

Relying on domain trust is no longer sufficient.

Security teams should:

  • Move beyond sender reputation to contextual and behavioral analysis
  • Train users to inspect final login URLs, not just email senders
  • Enforce multi-factor authentication everywhere
  • Ensure credential theft does not equal account takeover
  • Monitor unusual or unexpected workflow-generated emails
  • Treat automation abuse as a real and growing threat vector

The focus must shift from “Is this domain trusted?” to “Is this interaction expected and legitimate?”

Conclusion

This campaign highlights a clear evolution in phishing tactics.

Attackers are no longer operating outside trusted ecosystems. They are hiding inside them.

As cloud platforms become more integrated, abuse opportunities increase. Defensive strategies must evolve at the same pace.

Trust can no longer be assumed- even when the email comes from Google.

About COE Security

COE Security supports organisations across:

  • Finance
  • Healthcare
  • Government
  • Consulting
  • Technology
  • Real Estate
  • SaaS

We help teams reduce risk through:

  • Email security and phishing defence
  • Advanced threat detection
  • Cloud security architecture
  • Secure development practices
  • Compliance advisory and governance
  • Security assessments and risk reduction

Follow COE Security on LinkedIn to stay informed-and stay cyber safe.

Click to read our LinkedIn feature article