domains Scammers exploit official Google domain

[Lox]

Scammers have found a way to send fraudulent emails using Google’s official @google.com domain by abusing Google Cloud automation tools. Thousands of organizations received phishing emails that evaded security detection.

read more

 

[Hypersot]

Can't stress the following quote from the article enough:
"Traditional email security assumptions no longer hold. Even when the sender, domain, and infrastructure appear fully legitimate, email can still be part of a phishing attack."

 

[Bravo Mod Team]

TL;DR, courtesy of AI:

Scammers abused Google Cloud Application Integration by configuring an integration that uses the built-in “Send Email” task (which can send a custom subject/body to arbitrary recipients), so the phishing messages were legitimately generated by Google and arrived from Google’s real no-reply address. (Google Cloud Documentation)​

​

They made the emails resemble routine Google-style enterprise notifications (voicemail alerts, file-access/permission requests, etc.) to prompt victim's to click. (Check Point Blog)​

​

The embedded link started on a trusted Google Cloud URL (e.g., storage.cloud.google.com), then redirected to googleusercontent.com where a fake CAPTCHA/image check filtered out automated security scanners, before forwarding the user onward. (Check Point Blog)​

​

The final destination was an attacker-controlled site impersonating a Microsoft sign-in page to harvest their login details. (Check Point Blog)​

 

[Bravo Mod Team]

then redirected to googleusercontent.com

Imagine if they used sites.google.com -- then it'd be even more convincing!

 

[Paul]

The first screenshot is a little misleading; although it is a phishing email, it’s not one that was sent using the GCP vulnerability, so the “From” address doesn’t show @google.com. The redirect link shown on hover is probably comparable to what you’d see in one of these new phishing emails, though.

 

[CashproofDomains.com]

read more

Really surprising to see this. When @google.com can be weaponized, “trusted sender” checks aren’t enough. Detection has to focus on behavior and intent, not just infrastructure.

 

[CashproofDomains.com]

TL;DR, courtesy of AI:

Scammers abused Google Cloud Application Integration by configuring an integration that uses the built-in “Send Email” task (which can send a custom subject/body to arbitrary recipients), so the phishing messages were legitimately generated by Google and arrived from Google’s real no-reply address. (Google Cloud Documentation)​

​

They made the emails resemble routine Google-style enterprise notifications (voicemail alerts, file-access/permission requests, etc.) to prompt victim's to click. (Check Point Blog)​

​

The embedded link started on a trusted Google Cloud URL (e.g., storage.cloud.google.com), then redirected to googleusercontent.com where a fake CAPTCHA/image check filtered out automated security scanners, before forwarding the user onward. (Check Point Blog)​

​

The final destination was an attacker-controlled site impersonating a Microsoft sign-in page to harvest their login details. (Check Point Blog)​

Thanks for your valuable information.