That Email From Google? It's Actually From Google—And It's Still a Scam

For years, security experts have taught one golden rule: check the sender's email domain. If it's not from the official domain, it's probably a scam.

That advice is now dangerously outdated.

Security researchers at Check Point have documented a sophisticated phishing campaign that sends malicious emails from noreply-application-integration@google.com—a legitimate Google address. Not a spoofed one. Not a lookalike. The real thing.

The Attack: 9,400 Emails in 14 Days

Over a two week period in late 2025, attackers sent 9,394 phishing emails targeting approximately 3,200 organizations. The targets weren't random—manufacturing (19.6%), technology and SaaS (18.9%), and finance (14.8%) took the brunt of the assault. Nearly half of all targets were in the United States.

The weapon? Google Cloud's Application Integration service, a legitimate automation tool designed to help developers connect systems and send notifications. Attackers configured the service to dispatch emails on their behalf, and because those emails genuinely originate from Google's infrastructure, they pass every standard email authentication check.

SPF? Pass. DKIM? Pass. DMARC? Pass.

Your email gateway sees a trusted Google domain and waves the message right through.

How the Redirect Chain Works

The phishing emails look like routine enterprise notifications—voicemail alerts, shared file requests, the kind of messages that populate corporate inboxes daily. When victims click through, the attack unfolds in stages:

Stage 1: Trusted Entry Point. The link points to storage.cloud.google.com—another legitimate Google service. There's nothing suspicious to flag.

Stage 2: Validation Theater. The victim is redirected to googleusercontent.com, where a fake CAPTCHA or image verification prompt appears. This step serves two purposes: it makes the process feel legitimate, and it blocks automated security scanners from reaching the final payload.

Stage 3: Credential Harvest. Only after passing the fake verification does the victim reach the actual phishing page—a convincing replica of a Microsoft 365 login screen hosted on a non Microsoft domain. By this point, most users have clicked through enough Google branded pages that their guard is down.

Why Traditional Defenses Fail

This attack exposes a fundamental weakness in how we've approached email security. The entire industry has built defenses around domain reputation and authentication protocols. If the email comes from a trusted sender and passes cryptographic checks, it must be legitimate.

But attackers aren't spoofing domains anymore. They're using legitimate services as weapons.

According to recent research, 83% of phishing attacks now bypass multi factor authentication through adversary in the middle techniques. The volume of phishing emails has increased by 1,265% since generative AI tools became widely available in late 2022. And one in four emails today is either malicious or unwanted spam.

Google blocked this specific campaign after researchers reported it, stating they've "taken additional steps to prevent further misuse." But the fundamental vulnerability remains: any cloud service that sends emails on behalf of users can potentially be weaponized.

What This Means for You

If you're a developer or IT professional, this campaign should change how you think about trust boundaries. A legitimate sender address no longer guarantees legitimate intent. Automated workflows, cloud integrations, and notification services all represent potential abuse vectors.

For everyone else, the lesson is simpler but harder to follow: skepticism has to extend even to emails that look completely authentic.

• Question the context, not just the sender. Did you request a shared file? Were you expecting a voicemail notification? If an email arrives without context, treat it with suspicion regardless of who it appears to be from.
• Navigate directly to services. Instead of clicking links in emails claiming to be from Google, Microsoft, or any other service, open a new browser tab and go to the site yourself. Real notifications will be waiting in your account.
• Watch the final destination. Before entering any credentials, verify that you're on the correct domain. This campaign used Google domains for the initial redirect but harvested credentials on a completely different site.
• Enable phishing resistant MFA. Hardware security keys and passkeys (FIDO2/WebAuthn) are significantly harder to defeat than SMS codes or authenticator apps. Google blocked 265 billion unauthenticated emails in 2024 alone, but the attacks that get through are the ones that matter.

The Uncomfortable Reality

This attack represents a broader shift in the threat landscape. Phishing has evolved from crude impersonation to sophisticated abuse of legitimate infrastructure. The emails are grammatically perfect, AI assisted, and sent through trusted channels.

Research estimates that 83% of organizations will experience at least one phishing attack this year. Spear phishing campaigns—targeted attacks that make up just 0.1% of all phishing—are responsible for 66% of breaches.

The attackers aren't trying to fool spam filters anymore. They're trying to fool you. And when the email genuinely comes from Google's servers, they're betting you won't look any deeper.

Your inbox has never been more dangerous—even when the sender is exactly who they claim to be.