Cybersecurity researchers have uncovered an ongoing phishing campaign where threat actors are actively misusing Google Cloud infrastructure to harvest Microsoft 365 login credentials.

Key points:

1. Use of Google Cloud Email Tools:
   Attackers are leveraging features like Google Cloud Application Integration email delivery to send phishing messages that appear to originate from trusted Google domains. These messages bypass typical spam and security filters because they come from Google-owned infrastructure itself.
2. Convincing Phishing Flow:
   • Victims receive highly convincing fake “Google” emails (e.g., notifications or routine alerts).
   • When clicked, links take users through legitimate-looking Google Cloud links before redirecting them to a fake Microsoft 365 sign-in page.
   • Logins entered there are harvested by the attackers.
3. Bypassing Security Controls:
   Because the campaign uses Google Cloud orchestration and emails sent from real Google domains, common protections like SPF, DKIM, and DMARC filtering may not block them effectively.
4. Global Targeting:
   The phishing messages have been observed targeting thousands of organizations across regions including the U.S., Asia-Pacific, Europe, Canada, and Latin America.

---

Why This Matters

• Cloud Trust is Being Abused: Attackers are weaponizing the reputation and trust of cloud platforms (in this case, Google Cloud) to make their phishing more believable and evade security filters.
• Microsoft 365 Credentials Are Valuable: Once attackers capture login details, they can access email, data, collaboration tools, and internal services — often leading to deeper compromise or business email compromise (BEC).

---

Typical Tactics Seen in These Attacks

• Impersonation & Social Engineering: Messages often mimic legitimate enterprise notifications to prompt user action.
• Multi-Stage Redirection: Users may see intermediate pages from trusted cloud services before the fake login page, increasing credibility.
• Credential Harvesting: The final fake Microsoft login collects usernames and passwords directly.

---

Related Threat Trends

This campaign fits a broader pattern of credential attacks and phishing against Microsoft 365, including:

• Sophisticated phishing that impersonates widely trusted providers to trick users
• Phishing-as-a-Service operations targeting Microsoft 365 credentials;
• Advanced tools and kits that steal tokens or session data for Microsoft accounts.

---

How Organizations Can Respond

To defend against this type of attack:

• Enable multifactor authentication (MFA) on all Microsoft 365 accounts.
• Train users to spot cloud-based phishing tricks, particularly when emails come from trusted domains but have unusual content.
• Implement phishing detection technologies that look beyond SPF/DKIM and consider behavioral indicators.
• Monitor OAuth and third-party app consent logs to catch suspicious access flows early.