First QuickBooks, then Microsoft, and now Google—will the hijacking of legitimate third-party platform communications stop escalating in 2025? Our Threat Labs researchers predict the answer is no.
As long as these attack tactics remain effective, cybercriminals will continue to use them, which likely explains the spike in the exploitation of Google Services for phishing attacks observed in the first month of 2025.
Executive Summary
While the abuse of Google Services isn't new, our Threat Labs team observed a significant spike in January 2025—this time, leveraging new tactics not previously seen by the team.
In this campaign, attackers exploited Google Drive’s collaboration feature by creating online documents with embedded secondary links. They then used the file-sharing functionality to send legitimate notification emails through Google’s infrastructure. Ultimately, the recipients were directed to phishing sites designed to harvest credentials or redirect funds into attacker-controlled wallets.
What makes many phishing emails so dangerous is their believability and plausibility, much of which is achieved by invoking feelings of trust and reliability with users. Attackers achieve this by mimicking familiar communication styles — using brand impersonation, spoofed email addresses, and flawless grammar.
These tactics can make phishing emails difficult for traditional security filters to identify, which is why user awareness and reporting are also critical to improving detection. Our Threat Lab teams are actively working to stay ahead of advanced attacks, as shown in the following examples.
How the Attack Works
Step 1: Exploiting Legitimate Google Drive Notification
This phishing tactic takes advantage of Google Drive’s file-sharing functionality in a way that differs from previous campaigns. While older methods involve tagging people in a shared document, this technique relies on attacker-controlled Google Workspace accounts.
Firstly, cybercriminals register custom domains, which allow them to create a large number of user accounts. They then sign up for Google Workspace using these domains and generate multiple user accounts, giving them access to Google Drive’s sharing features. Using this setup, attackers upload PDF files containing malicious phishing links and share them with victims. When the files are shared, Google’s notify feature automatically generates a legitimate notification email to the recipient.
As can be seen in the example below, attackers combine the use of a third-party service with social engineering techniques to entice the recipient into engaging with the attack. In this case, the attacker is impersonating a debt agent, using the subject—"Notice: Outstanding Debt Now Past Due"— to create a sense of urgency, pressuring the recipient to take immediate action.
Screenshot of a legitimate Google notification email used to direct recipients to a malicious PDF.
Our Threat Labs team noted that many of these phishing emails centered around the following subjects:
- Security Requirements/Activity
- Account Renewal/Unblock/Verification
- Billing Info Update/Verification
By leveraging Google’s trusted notification system, attackers significantly improve email deliverability. Since the phishing email comes from Google’s legitimate infrastructure, it is more likely to bypass security measures like signature-based and reputation-based detection in Microsoft 365 and secure email gateways (SEGs). These security tools typically rely on sender reputation and domain age to flag malicious emails, but because the notification is generated by Google, it appears trustworthy.
Additionally, recipients are more inclined to trust the email due to its familiar and reputable origin, increasing the likelihood they will open the message and interact with the malicious content.
Step 2: Lookalike Landing Pages
If the recipient were to click the links embedded in the PDF, they would be directed to a landing page designed to impersonate the debt agency. On this page, they are prompted to enter their credentials to view the supposed document. While the main goal in this example is to harvest login credentials, other attacks in this campaign have taken a different approach—directing recipients to fake finance portals where they are encouraged to transfer funds.
Screenshot of the initial landing page present upon clicking the link in the phishing email.
Analysis: The Rise of Legitimate Domains in Phishing Attacks
This campaign is not an isolated incident in 2025.
KnowBe4’s Threat Labs team has identified a number of examples where attackers are using legitimate domains to bypass SEGs. Our latest Phishing Threat Trends Report shows a 67.4% increase in phishing campaigns exploiting trusted platforms, highlighting DocuSign, PayPal, Microsoft, Google Drive, and Salesforce as the most commonly used.
Our Threat Labs has also uncovered other examples of this tactic. For instance, from January 1st to March 7th, 2025, phishing attacks using QuickBooks saw a 36.5% rise. Here, cybercriminals created free accounts with email-sending privileges to launch their attacks directly from within these trusted platforms. Similarly, hijacking legitimate Microsoft invoices and manipulating mail-flow rules allowed attackers to bypass security checks, making the emails appear authentic and harder to detect.
These attacks are particularly hard to detect because they all leverage trusted, legitimate platforms, making the phishing emails appear authentic and bypassing security measures like signature-based filtering and reputation checks. This makes them highly concerning, as they are nearly impossible for traditional email security systems to detect, increasing the risk of successful breaches if a recipient is not able to identify it as malicious.
What can organizations do?
This growing trend underscores the need for organizations to adopt intelligent anti-phishing technology that, unlike traditional solutions, can holistically analyze all elements of an email—including the sender's domain, content, and social engineering tactics. To effectively combat this threat, organizations must also pair advanced technology with timely, relevant coaching to help employees recognize the subtle signs of phishing.
Together, these strategies form a comprehensive defense that can better protect individuals and organizations from sophisticated phishing attacks.
Here's how it works:
