- Attackers abused Google Cloud Application Integration to send phishing emails from legitimate Google domains
- Emails mimicked Google notifications, redirecting victims through trusted services
- Nearly 3,200 businesses targeted; most victims in U.S. manufacturing, tech, and finance sectors
Over 3,000 organizations fell victim to a sophisticated phishing campaign in December 2025 that weaponized Google’s legitimate application infrastructure to evade enterprise email security systems.
The attack primarily targeted manufacturing companies, with threat actors sending deceptive messages from Google’s official email address: noreply-application-integration@google.com.
This campaign represents a significant evolution in phishing attack, as attackers exploited trusted platform infrastructure rather than relying on traditional domain spoofing or compromised mail servers.
In a newly released report, cybersecurity researchers from Check Point said they’ve seen almost 10,000 emails, being sent to roughly 3,200 businesses in a span of two weeks.
All of the messages were sent from the email account noreply-application-integration@google.com, meaning the attackers were abusing Google Cloud Application Integration.
Targeting manufacturing in the US
This is a managed Google Cloud service that connects applications, APIs, and data sources without needing to write custom code. It lets organizations automate workflows between cloud services, SaaS apps, and internal systems using prebuilt connectors, triggers, and actions. Emails generated through Google Cloud Application Integration often originate from Google-owned infrastructure and domains, meaning they’re sent as part of an automated workflow and can inherit Google’s strong sender reputation.
In phishing campaigns, threat actors can create or compromise a Google Cloud project and configure an integration workflow that sends emails via Gmail APIs or other connected email services. In other words, this is simple abuse – not a breach in Google’s infrastructure.
To make the emails seem even more plausible, the attackers made sure the messages closely followed Google’s notification style, language, and formatting. The most common lures include pending voicemail messages, or notifications about being shared a document.
The link shared in these emails leads to storage.google.cloud.com which is a trusted Google Cloud service.
