First QuickBooks, then Microsoft, and now Google—will the hijacking of reputable third-party platform communications cease escalating in 2025? Our Menace Labs researchers predict the reply isn’t any.
So long as these assault techniques stay efficient, cybercriminals will proceed to make use of them, which doubtless explains the spike within the exploitation of Google Companies for phishing assaults noticed within the first month of 2025.
Govt AbstractÂ
Whereas the abuse of Google Companies is not new, our Menace Labs group noticed a major spike in January 2025—this time, leveraging new techniques not beforehand seen by the group.Â
On this marketing campaign, attackers exploited Google Drive’s collaboration characteristic by creating on-line paperwork with embedded secondary hyperlinks. They then used the file-sharing performance to ship reputable notification emails by means of Google’s infrastructure. Finally, the recipients have been directed to phishing websites designed to reap credentials or redirect funds into attacker-controlled wallets.Â
What makes many phishing emails so harmful is their believability and plausibility, a lot of which is achieved by invoking emotions of belief and reliability with customers. Attackers obtain this by mimicking acquainted communication types — utilizing model impersonation, spoofed electronic mail addresses, and flawless grammar.
These techniques could make phishing emails troublesome for conventional safety filters to determine, which is why person consciousness and reporting are additionally crucial to bettering detection. Our Menace Lab groups are actively working to remain forward of superior assaults, as proven within the following examples.
How the Assault WorksÂ
Step 1: Exploiting Authentic Google Drive NotificationÂ
This phishing tactic takes benefit of Google Drive’s file-sharing performance in a approach that differs from earlier campaigns. Whereas older strategies contain tagging individuals in a shared doc, this system depends on attacker-controlled Google Workspace accounts.
Firstly, cybercriminals register customized domains, which permit them to create numerous person accounts. They then join Google Workspace utilizing these domains and generate a number of person accounts, giving them entry to Google Drive’s sharing options. Utilizing this setup, attackers add PDF recordsdata containing malicious phishing hyperlinks and share them with victims. When the recordsdata are shared, Google’s notify characteristic robotically generates a reputable notification electronic mail to the recipient.Â
As could be seen within the instance beneath, attackers mix the usage of a third-party service with social engineering methods to entice the recipient into partaking with the assault. On this case, the attacker is impersonating a debt agent, utilizing the topic—”Discover: Excellent Debt Now Previous Due”— to create a way of urgency, pressuring the recipient to take rapid motion.
Screenshot of a reputable Google notification electronic mail used to direct recipients to a malicious PDF.
Our Menace Labs group famous that many of those phishing emails centered across the following topics:Â
- Safety Necessities/ExerciseÂ
- Account Renewal/Unblock/Verification
- Billing Information Replace/Verification
By leveraging Google’s trusted notification system, attackers considerably enhance electronic mail deliverability. For the reason that phishing electronic mail comes from Google’s reputable infrastructure, it’s extra prone to bypass safety measures like signature-based and reputation-based detection in Microsoft 365 and safe electronic mail gateways (SEGs). These safety instruments sometimes depend on sender repute and area age to flag malicious emails, however as a result of the notification is generated by Google, it seems reliable.Â
Moreover, recipients are extra inclined to belief the e-mail because of its acquainted and respected origin, rising the probability they’ll open the message and work together with the malicious content material.
Step 2: Lookalike Touchdown Pages
If the recipient have been to click on the hyperlinks embedded within the PDF, they’d be directed to a touchdown web page designed to impersonate the debt company. On this web page, they’re prompted to enter their credentials to view the supposed doc. Whereas the primary aim on this instance is to reap login credentials, different assaults on this marketing campaign have taken a special strategy—directing recipients to faux finance portals the place they’re inspired to switch funds.Â
Screenshot of the preliminary touchdown web page current upon clicking the hyperlink within the phishing electronic mail.
Evaluation: The Rise of Authentic Domains in Phishing Assaults
This marketing campaign is just not an remoted incident in 2025.Â
KnowBe4’s Menace Labs group has recognized quite a few examples the place attackers are utilizing reputable domains to bypass SEGs. Our newest Phishing Menace Developments Report reveals a 67.4% improve in phishing campaigns exploiting trusted platforms, highlighting DocuSign, PayPal, Microsoft, Google Drive, and Salesforce as probably the most generally used.
Our Menace Labs has additionally uncovered different examples of this tactic. For example, from January 1st to March seventh, 2025, phishing assaults utilizing QuickBooks noticed a 36.5% rise. Right here, cybercriminals created free accounts with email-sending privileges to launch their assaults straight from inside these trusted platforms. Equally, hijacking reputable Microsoft invoices and manipulating mail-flow guidelines allowed attackers to bypass safety checks, making the emails seem genuine and tougher to detect.
These assaults are notably onerous to detect as a result of all of them leverage trusted, reputable platforms, making the phishing emails seem genuine and bypassing safety measures like signature-based filtering and repute checks. This makes them extremely regarding, as they’re almost inconceivable for conventional electronic mail safety methods to detect, rising the danger of profitable breaches if a recipient is just not in a position to determine it as malicious.Â
What can organizations do?Â
This rising pattern underscores the necessity for organizations to undertake clever anti-phishing expertise that, in contrast to conventional options, can holistically analyze all components of an electronic mail—together with the sender’s area, content material, and social engineering techniques. To successfully fight this risk, organizations should additionally pair superior expertise with well timed, related teaching to assist staff acknowledge the delicate indicators of phishing.
Collectively, these methods kind a complete protection that may higher shield people and organizations from subtle phishing assaults.
