Cybersecurity researchers have uncovered a dangerous new phishing campaign that tricks users into surrendering their credentials by impersonating legitimate Google support and notifications.<\/p>\n
The attack combines vishing (voice phishing), spoofed domains<\/a>, and Google\u2019s own trusted infrastructure to achieve exceptional success rates against organizations worldwide.<\/p>\n The attack employs a multi-layered social engineering<\/a> approach. Threat actors initiate contact by phone, using voice-spoofing technology to mimic Google support representatives.<\/p>\n These calls reference suspicious account activity or security concerns, building urgency and trust.<\/p>\n The attacker then directs victims to click links in follow-up emails that appear to originate from legitimate Google addresses, bypassing traditional email authentication checks like SPF, DKIM, and DMARC<\/a>.<\/p>\n What makes this campaign particularly insidious is its abuse of Google\u2019s own cloud infrastructure.<\/p>\n Rather than creating fake domains that might trigger security filters, attackers leverage Google Cloud Application Integration services to send phishing emails directly from legitimate Google infrastructure.<\/p>\n In December 2025 alone, researchers documented over 9,000 phishing emails targeting approximately 3,200 businesses across the United States, Europe, Asia-Pacific, Canada, and Latin America.<\/p>\n The attack flow follows a sophisticated redirection chain. When victims click embedded links, they land on pages hosted on trusted Google Cloud Storage<\/a> domains, making URL reputation filters ineffective.<\/p>\n These pages display fake CAPTCHA verification screens that block automated security scanning while allowing human users through, as reported<\/a> by Dmitrn Gmilnanets.<\/a><\/p>\n After verification, victims are redirected to credential-harvesting pages\u00a0that mimic<\/a><\/span> Google login screens or Microsoft 365 interfaces, where their usernames and passwords are stolen.<\/p>\n Security experts emphasize that cloud providers never initiate contact to request login credentials or direct users to external verification pages.<\/p>\n Users should always navigate directly to official service portals they already use rather than clicking links in unsolicited communications.<\/p>\n Organizations should implement multi-factor authentication (MFA<\/a>), enforce the use of a password manager, restrict login locations by IP range, and provide regular security awareness training.<\/p>\n Additionally, security teams must move beyond traditional domain-reputation defenses and implement behavioral analysis and contextual threat detection to identify legitimate infrastructure that is being weaponized for malicious purposes.<\/p>\n This campaign underscores a critical shift in phishing tactics: attackers are increasingly abusing legitimate platforms rather than spoofing domains, requiring a fundamental rethink of email security strategies.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Sophisticated Phishing Attack Mimic as Google Support to Steal Logins<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGoogle Support-Based Phishing Campaign<\/strong><\/h2>\n
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi8N7ordQeRBBwTZ9lVUkpcpodzSIThHMzZmjzaKjnp67tWAOOuLcDFjfPtFFEAr5NJt0hH_VQhIQ1FzOyrQbleAApS9uKXGRCUQFjOCAgOMfk4WnQ78CYlivN5P8zIrDh_mqD68Z9ni55d3YTSACwKbSFL5Fu4PcR4-28Fo-z9Je0AllF4g4gt9W83Oq0\/s1600\/Screenshot%25202026-01-06%2520111337%2520%25281%2529.webp?ssl=1\")