• Home
  • Company
    • About Us
    • Careers
    • Contact Us
  • IT Services
    • Managed IT Services
    • Project & Consulting Services
    • Backup & Recovery Solutions
    • VoIP Solutions
    • Remote IT Support
  • Contact
  • Blog
  • LOGIN

Call us today! (612) 547-3507

info@vodigynetworks.com
Login

Login
Vodigy Networks Vodigy Networks
  • Home
  • Company
    • About Us
    • Careers
    • Contact Us
  • IT Services
    • Managed IT Services
    • Project & Consulting Services
    • Backup & Recovery Solutions
    • VoIP Solutions
    • Remote IT Support
  • Contact
  • Blog
  • LOGIN
New Google Cloud Email Phishing Attack Targets SMBs

When “Legit” Emails Aren’t Legit: How Attackers Are Abusing Google Cloud to Trick Small Businesses

January 5, 2026

If you’re a small or midsize business owner, you’ve probably trained your team to watch for obvious phishing red flags: bad grammar, weird sender addresses, mismatched domains, or suspicious attachments.

Unfortunately, phishing has evolved.

A new campaign reported by The Hacker News shows cybercriminals using Google Cloud’s Application Integration to send phishing emails that appear to come from a legitimate Google source, making them far more likely to land in inboxes and bypass traditional defenses.

In plain terms, criminals are borrowing the “trust” of Google’s infrastructure to make their scams look real.

And for SMBs, this matters a lot because most smaller organizations don’t have large security teams to deeply inspect every email, link, and login prompt.

Let’s break down what happened, why it works, and what you can do to protect your business without needing enterprise-level resources.

What Happened: Phishing Emails Sent Through Google Cloud (Not Spoofed)

Here’s the key detail: these emails weren’t simply pretending to be Google.

Researchers discovered attackers abusing a feature within Google Cloud Application Integration to send emails from a legitimate-looking address associated with Google’s workflow notifications. The Hacker News reports that the attackers sent 9,394 phishing emails using this method.

This is a big deal because many email security tools rely heavily on sender reputation and trusted domains. If the email originates from Google-owned infrastructure, it has a better chance of passing checks and reaching inboxes.

This is an abuse of a legitimate cloud feature, not a “hack” of Google itself, which is important because it means attackers can do real damage without breaking into Google.

Why SMBs Are Especially at Risk

Big companies typically have layered security: security operations centers (SOCs), 24/7 monitoring, email sandboxing, and advanced identity protection.

SMBs often don’t.

And criminals know it.

This campaign reportedly targeted thousands of businesses, with a heavy concentration in the U.S. and strong interest in industries like manufacturing, technology/SaaS, and financial services.
But even if your company isn’t in those industries, the attack pattern applies to almost any business using Microsoft 365, meaning most modern organizations.

If your team depends on Google Workspace, Microsoft 365, cloud storage, shared files, or automated notifications, this kind of scam is designed to blend into your everyday workflows.

How the Scam Works (A Simple Walkthrough)

This wasn’t a one-click trick. It was a multi-stage phishing funnel designed to reduce suspicion at each step.

Here’s the typical flow:

1) A convincing “Google-style” email arrives

The message looks like a routine notification, things like:

  • “You have a new voicemail.”
  • “A file has been shared with you.”
  • “Action required on a document.”

The design and formatting closely resemble real Google notifications, increasing credibility.

2) The link leads to a trusted Google Cloud URL

The email includes a link that appears legitimate and leads to a Google Cloud domain such as storage.google.cloud.com (as described in reporting on this campaign).

This helps the attackers bypass user skepticism and some link scanners that flag unknown domains.

3) A redirect chain begins

After the trusted link, victims are redirected through additional layers, often to Google-hosted content, before landing on malicious infrastructure.

4) A fake CAPTCHA or “verification” step appears

Some victims encounter a fake CAPTCHA page designed to block automated scanners and give the experience a “legitimate checkpoint” feel.

5) The final destination: a Microsoft 365 login page

The campaign’s end goal is credential theft. Victims eventually land on a fake Microsoft 365 login portal, where they enter their username and password, handing over access to attackers.

One “legit-looking” email can cost your business thousands

Protect your team from cloud-based phishing with smarter controls and monitoring.
Secure My Email Now

Why Microsoft 365 Credentials Are the Prize

Microsoft 365 credentials are extremely valuable because one login can unlock:

  • Email inboxes (customer info, invoices, internal discussions)
  • OneDrive and SharePoint documents
  • Teams chats and internal files
  • Password reset access for other business systems
  • Access to integrated SaaS tools (accounting, HR, CRM)

And once attackers get into one mailbox, they can:

  • Launch business email compromise (BEC) fraud
  • Request “urgent payments” from finance
  • Send more phishing from inside your organization
  • Search for bank info, vendor contracts, tax documents, or payroll files

For SMBs, that can mean direct financial loss, downtime, reputational damage, and regulatory headaches.

“Is Google Compromised?” No, But That’s the Problem

Google reportedly confirmed this activity stemmed from misuse of a workflow tool, not from a breach of its infrastructure.

This is a trend we’ll see more of: attackers don’t need to hack major platforms if they can weaponize legitimate features.

Cloud services are built to automate tasks like email notifications, app integrations, and system alerts. That convenience also creates opportunities for misuse, especially when tools can send emails to arbitrary recipients.

For defenders, it creates a new reality:

✅ Sender domain looks legit
✅ Email format looks legit
✅ The initial link is on a trusted platform
❌ But the intention is still malicious

Practical Protection Steps SMBs Can Take Today

You don’t need an enterprise SOC to improve your defenses. You need a few high-impact moves.

1) Turn on phishing-resistant MFA (not just SMS)

If your Microsoft 365 accounts still rely on SMS codes, you’re vulnerable to token theft and interception.

Upgrade to:

  • Authenticator app with number matching
  • Hardware security keys (FIDO2)
  • Conditional access policies (if available)

Even if attackers steal passwords, MFA can stop account takeover. (Not always—but it raises the bar significantly.)

2) Train your team for “trusted brand abuse”

Most training focuses on obvious scams. Modern phishing is subtler.

Update your security awareness training to include this concept:

“An email can look completely legitimate and still be phishing.”

Teach these habits:

  • Don’t trust links just because they’re Google or Microsoft
  • Never log in after clicking a link in an unexpected email
  • Instead, open a new browser tab and go directly to the service

3) Inspect the “behavior,” not just the sender

Even if the sender looks real, ask:

  • Why am I receiving this message?
  • Was I expecting a voicemail?
  • Was a file actually shared with me?
  • Does the email create urgency or confusion?

Phishing often relies on rushing the victim.

4) Reduce the damage of a compromised account

If an attacker gets in, you want a limited blast radius:

  • Require MFA for all users (not optional)
  • Restrict admin privileges
  • Monitor suspicious logins (new devices, impossible travel)
  • Set up alerts for mailbox forwarding rules
  • Disable legacy authentication

5) Improve email security configuration

If you manage your own domain email, ensure:

  • SPF, DKIM, and DMARC are properly configured
  • You monitor DMARC reports (or use a vendor to do it)
  • You add link scanning or safe browsing protection where possible

Why This Matters for Managed IT and Outsourced Support

If you rely on outsourced tech support, now is a good time to ask a simple question:

“What are we doing to prevent cloud identity phishing – not just malware?”

Many traditional IT setups focus on endpoints and antivirus. But modern attacks target identity and cloud access.

If you’re evaluating or already using remote it support st. paul, make sure your provider actively covers:

  • Microsoft 365 login monitoring
  • MFA enforcement
  • suspicious email forwarding alerts
  • conditional access policies
  • phishing awareness reinforcement
  • incident response planning

Because the front line isn’t just your firewall anymore, it’s your login page.

The Bigger Lesson: “Trusted Infrastructure” Isn’t Enough

This campaign is a perfect example of how cybersecurity has changed.

The old rule was:

“If it comes from a trusted domain, it’s probably safe.”

The new rule is:

“Trust nothing by default, verify through behavior and context.”

Attackers are getting better at blending in. They’re using the same tools your business uses: cloud automation, trusted infrastructure, and familiar brand templates to make scams feel normal.

The good news? A few practical steps strong MFA, improved training, and better identity monitoring, can dramatically reduce your risk.

Source

This blog post is based on reporting by The Hacker News on cybercriminals abusing Google Cloud Application Integration to send phishing emails and ultimately harvest Microsoft 365 credentials.

Picture of Todd Eldron

Todd Eldron

Todd Eldron is an accomplished information technology professional with over 15 years of experience guiding organizations through digital transformation initiatives. His work focuses on implementing effective strategies to enhance cybersecurity, optimize operational performance, and adopt emerging technologies responsibly. Connect with Todd on LinkedIn
Share

You also might be interested in

various cybersecurity threats and icons-Intrusion protection system

How Intrusion Prevention Systems Sniff out Sneaky Cyber Attacks

Feb 26, 2018

It’s 2018 and in the world of cyber security, this[...]

Illustration of a hand holding a smartphone with multiple digital service icons - mobile device management

3 Things You Must Be Doing If You Allow Employees To Use Their Own Mobile Devices

Feb 5, 2018

 Many businesses in Saint Paul provide employees with company-owned devices[...]

Illustration of cloud computing and cybersecurity, featuring a central computer connected to servers-cloud phone systems

The Small-Business Owner’s Guide to Cloud Phones and Their Benefits

Jan 15, 2018

Cut the Cord: Modern Cloud Phone Systems for Edina Small[...]

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
Experience the new generation of IT services. Get In Touch!

Contact Info

  • Vodigy Networks
  • 1700 Wynne Ave St. Paul, MN 55108
  • (612) 547-3507
  • info@vodigynetworks.com
  • https://www.vodigynetworks.com

  • Home
  • About
  • Contact
  • IT Services
  • Directions
  • Privacy Policy
Prev Next