{“lastseen”:”2026-01-06T16:25:12″,”description”:”Attackers are sending very convincing fake \u201cGoogle\u201d emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a look-alike Microsoft 365 sign-in page designed to harvest usernames and passwords.\\n\\nResearchers found that cybercriminals used Google Cloud Application Integration\u2019s Send Email feature to send phishing emails from a legitimate Google address: `noreply-application-integration@google[.]com`.\\n\\nGoogle Cloud Application Integration allows users to automate business processes by connecting any application with point-and-click configurations. New customers currently receive free credits, which lowers the barrier to entry and may attract some cybercriminals.\\n\\nThe initial email arrives from what looks like a real Google address and references something routine and familiar, such as a voicemail notification, a task to complete, or permissions to access a document. The email includes a link that points to a genuine Google Cloud Storage URL, so the web address appears to belong to Google and doesn\u2019t look like an obvious fake.\\n\\nAfter the first click, you are redirected to another Google\u2011related domain (`googleusercontent[.]com`) showing a CAPTCHA or image check. Once you pass the \u201cI\u2019m not a robot check,\u201d you land on what looks like a normal Microsoft 365 sign\u2011in page, but on close inspection, the web address is not an official Microsoft domain.\\n\\nAny credentials provided on this site will be captured by the attackers.\\n\\nThe use of Google infrastructure provides the phishers with a higher level of trust from both email filters and the receiving users. This is not a vulnerability, just an abuse of cloud-based services that Google provides.\\n\\n## Google\u2019s response\\n\\nGoogle said it has taken action against the activity:\\n\\n\\u003e \u201cWe have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google\u2019s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.\u201d\\n\\nWe’ve seen several phishing campaigns that abuse trusted workflows from companies like Google, PayPal, DocuSign, and other cloud-based service providers to lend credibility to phishing emails and redirect targets to their credential-harvesting websites.\\n\\n## How to stay safe\\n\\nCampaigns like these show that some responsibility for spotting phishing emails still rests with the recipient. Besides staying informed, here are some other tips you can follow to stay safe.\\n\\n * **Always check the actual web address** of any login page; if it\u2019s not a genuine Microsoft domain, do not enter credentials.\u200b Using a password manager will help because they will not auto-fill your details on fake websites.\\n * **Be cautious of \u201curgent\u201d emails** about voicemails, document shares, or permissions, even if they appear to come from Google or Microsoft.\u200b Creating urgency is a common tactic by scammers and phishers.\\n * **Go directly to the service whenever possible**. Instead of clicking links in emails, open OneDrive, Teams, or Outlook using your normal bookmark or app.\\n * **Usemulti\u2011factor authentication (MFA)** so that stolen passwords alone are not enough, and regularly review which apps have access to your account and remove anything you don\u2019t recognize.\\n\\n\\n\\nPro tip: **Malwarebytes Scam Guard can recognize emails like this as scams.** You can upload suspicious text, emails, attachments and other files and ask for its opinion. It\u2019s really very good at recognizing scams.\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2026-01-06T15:01:10″,”modified”:”2026-01-06T15:01:10″,”type”:”malwarebytes”,”title”:”Phishing campaign abuses Google Cloud services to steal Microsoft 365 logins”,”source”:””,”references”:””,”id”:”MALWAREBYTES:8BF518F0461C1A3230F188D02D9D6686″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/01\/phishing-campaign-abuses-google-cloud-services-to-steal-microsoft-365-logins”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-06T16:25:12″,”description”:”Attackers are sending very convincing fake \u201cGoogle\u201d emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-34336","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n