Google Exploited in Phishing Campaign

Google Exploit: Over 3,000 organisations, predominantly in manufacturing, fell victim to a sophisticated phishing campaign in December 2025 that leveraged Google’s own application infrastructure to bypass enterprise email security controls.

 

Attackers sent deceptive messages from noreply-application-integration@google.com, marking a critical shift in how threat actors exploit trusted platforms.

Unlike traditional phishing attempts that rely on domain spoofing or compromised mail servers, this campaign operated entirely within legitimate Google systems.

The emails passed all standard authentication checks, SPF, DKIM, DMARC, and CompAuth, creating a fundamental blind spot for conventional email security tools.

How the Attack Worked

The phishing emails impersonated legitimate Google Tasks notifications, claiming to be internal task assignments requesting employee verification.

Recipients were prompted with calls to action such as “View task” or “Mark complete,” which redirected to a malicious page hosted on Google Cloud Storage.

The attack exploited three critical vulnerabilities in traditional security models:

Trusted Sender Infrastructure: Emails originated from valid Google systems, inheriting Google’s high sender reputation and near-universal allowlisting across organisations.

High-Fidelity Brand Impersonation: The messages replicated Google Tasks UI, branding, and familiar notification buttons with striking accuracy, making them visually indistinguishable from legitimate communications.

Payload on Trusted Domains: Rather than hosting malicious content on suspicious domains, attackers leveraged Google Cloud Storage URLs, rendering URL reputation-based detection ineffective

Read the full article here