In December 2025, a phishing campaign hit over 3,000 organizations, mostly in manufacturing. The attackers used Google’s own systems to send the emails, which helped them get past company email security.
The messages came from the real Google address noreply-application-integration@google.com, making them look trustworthy to recipients.
Instead of fake domains or hacked mail servers, the attackers stayed inside Google’s platform. As a result, the emails passed normal security checks like SPF, DKIM, DMARC, and CompAuth, so many email security tools did not detect them.
How the Attack Worked
The attack started with emails that looked like routine Google Tasks notifications. They appeared to be normal internal task requests, asking employees to review or verify information.
Each message included familiar actions such as “View task” or “Mark complete.” Instead of opening Google Tasks, the links redirected users to a fake page hosted on Google Cloud Storage.
The campaign succeeded because it abused trust at multiple levels:
- The emails were sent through real Google systems, giving them high credibility
- The layout and buttons closely matched genuine Google Tasks notifications
- The links pointed to Google-owned domains, not suspicious websites
Most email security tools focus on sender reputation and link trust. In this case, both looked legitimate, allowing the messages to pass through without alerts.
The real issue was context. Google Tasks is not typically used for HR or identity checks, and real task notifications do not redirect users to Cloud Storage pages.
Researchers at RavenMail uncovered the activity by analyzing workflow behavior rather than email headers alone. They spotted inconsistencies between how Google Tasks normally works and what the emails were asking users to do.
This campaign highlights a growing trend where attackers misuse trusted SaaS platforms to deliver phishing, reinforcing the need for security controls that understand intent—not just trust.
Leave A Comment