A recent phishing campaign demonstrates how legitimate cloud services can be abused to compromise enterprise Microsoft 365 accounts, without using malware, exploits, or compromised infrastructure.
The attack relies entirely on trusted platforms, primarily Google Cloud services, to bypass traditional security controls and gain access to corporate credentials.
How the Campaign Works
Attackers use Google Cloud services to distribute phishing emails that appear legitimate at both the technical and user levels. Emails are sent from valid Google-controlled infrastructure, allowing them to pass standard email authentication checks such as SPF and DKIM.
The phishing flow typically includes:
- An email delivered via Google Cloud infrastructure
- A link hosted on Google-controlled domains
- A CAPTCHA challenge to block automated security scanners
- A fake Microsoft 365 login page designed to closely resemble the real authentication flow
The credential harvesting page does not exploit Microsoft systems directly. Instead, it captures usernames and passwords entered by users who believe they are signing in to Microsoft 365.
No malicious attachments or executable payloads are involved.
Why Traditional Controls Struggle to Detect This Attack
From a security tooling perspective, this campaign stays within expected behavior:
- The sending infrastructure is trusted
- The hosting environment has a strong reputation
- The URLs do not appear on known blocklists at the time of delivery
Because Google Cloud is widely used for legitimate business workflows, blocking or heavily restricting these services is not practical for most organizations.
As a result, detection often occurs only after credentials have already been compromised.
Impact on Organizations Using Microsoft 365
Once Microsoft 365 credentials are obtained, attackers can gain access to:
- Corporate email accounts
- SharePoint and OneDrive content
- Internal communication threads
- Business processes dependent on email-based approvals
In many cases, initial access is used for internal reconnaissance or follow-up attacks such as invoice fraud or partner impersonation.
The financial and operational impact is often indirect and delayed, making root cause analysis more complex.
Key Takeaways for Executive Management
This campaign highlights a structural challenge rather than a technical failure:
- Trusted cloud platforms such as Google Cloud can be abused without being compromised
- Microsoft 365 accounts remain a high-value target due to their central role in business operations
- User behavior alone cannot reliably prevent these attacks
From a risk management perspective, organizations should assume that credential phishing can occur even when emails and links originate from reputable cloud providers.
Conclusion
The abuse of Google Cloud services to target Microsoft 365 users reflects an ongoing shift in phishing tactics. Attackers are increasingly operating inside trusted ecosystems, reducing the effectiveness of reputation-based detection and perimeter-focused controls.
For organizations, the challenge is no longer identifying obviously malicious infrastructure, but detecting malicious intent within legitimate cloud workflows.
