There’s a question keeping cybersecurity teams up at night, and it’s not “what if attackers send malicious emails from shady domains?” That problem has largely been solved. The real question is far more unsettling:
What happens when the attacker’s email comes from Google?
That’s not a hypothetical question. It’s exactly what happened in a recently uncovered phishing campaign, and it exposes a critical blind spot in how organizations think about email security today.
The Attack That Passed Every Check
Cybersecurity researchers recently dismantled a large-scale phishing operation that compromised over 30,000 social media business accounts across the United States, India, Italy, Canada, the UK, and several other countries. The campaign, which researchers linked to coordinated threat actors, didn’t rely on sketchy lookalike domains or suspicious senders. Instead, it did something far cleverer.
It used Google AppSheet. A legitimate, widely trusted no-code app platform with its email delivery engine.
The phishing messages landed in inboxes from [email protected]. A real Google address. Authenticated. Verified. Clean.
And because the emails were technically sent through Google’s infrastructure, they sailed past SPF checks, DKIM validation, and even DMARC filters. The very mechanisms are designed to catch exactly this kind of impersonation.
This is what security professionals call platform abuse, and it’s becoming the preferred weapon for sophisticated threat actors worldwide.
Why This Should Alarm Every Business Using Email
Here’s the hard truth most vendors won’t tell you: DMARC, SPF, and DKIM are necessary, but not sufficient on their own.
These protocols verify that an email came from an authorized server for a given domain. But when an attacker legitimately uses Google’s, Microsoft’s, or any trusted platform’s infrastructure to send malicious content, those checks pass with flying colors. The system works exactly as designed. The problem is that the design wasn’t built for this scenario.
The campaign in question didn’t stop at Google AppSheet. Researchers found attackers leveraging a full stack of trusted platforms:
- Netlify — to host fake Facebook Help Center pages with unique subdomains per victim (bypassing URL blocklists entirely)
- Vercel — to serve fake Meta verification and “Security Check” pages
- Google Drive — to distribute PDFs designed to look like official Meta compliance documents
- Canva — to build convincing branded phishing collateral
- Telegram — to collect stolen credentials, session tokens, and real-time operator panels
Each platform individually is legitimate. Combined, they form an end-to-end phishing assembly line that looks, at every checkpoint, like normal business activity.
How Modern Phishing Attacks Actually Work
What made this operation particularly dangerous wasn’t just the tools; it was the sophistication of the human engineering layered on top.
Victims received messages claiming their business accounts faced imminent deletion, copyright action, or policy violations. Urgency is the oldest trick in the book, but the execution here was clinical.
Step one – a convincing email from a real Google address, warning of an account policy violation.
Step two – a link to a Netlify page that was an almost pixel-perfect replica of a legitimate support portal, with a unique URL generated per target to avoid detection.
Step three – a multi-stage data collection flow that didn’t just grab passwords. It asked for dates of birth, phone numbers, government-issued ID photos, and two-factor authentication codes. Some pages were deliberately designed to trigger fake login errors, capturing multiple credential attempts and thereby maximizing the accuracy of stolen data.
Step four – a real-time operator dashboard, powered by Socket.IO, that lets attackers interact with live victims mid-session. Not a bot. A human operator, guiding each compromise in real time.
Step five – everything funneled to private Telegram channels, structured for rapid account takeover before victims realized what had happened.
This wasn’t a blunt instrument. It was a precision tool, and it exploited trust at every level.
What This Means for Email Authentication Strategy
The lesson here isn’t that email authentication is broken. It’s that authentication without visibility is incomplete protection.
DMARC does its job. It prevents someone from spoofing your domain to attack your customers. That’s non-negotiable, and every organization should have it fully enforced. But this attack illustrates why a layered email security posture matters:
1. DMARC enforcement protects your domain’s outbound reputation & deploy it. If your domain isn’t DMARC-enforced today, attackers can send emails that appear to come directly from your brand. That’s the first problem to solve.
2. Inbound filtering needs behavioral intelligence, not just authentication signals. An email that passes DMARC from appsheet.com isn’t dangerous because of the domain. It’s dangerous because of what it’s trying to do. Content analysis, link scanning, and behavioral anomaly detection catch what authentication checks miss.
3. Real-time monitoring and alerting close the gap. Knowing when your domain is being impersonated, or when your users are receiving authenticated but malicious content, requires continuous visibility, not quarterly reports.
4. Employee awareness is still your last line of defense. No technical control prevents a well-targeted, well-crafted message from reaching a human. Business teams receiving urgency-driven communications about account suspension or policy review should have clear, practiced escalation paths.
The Bigger Picture: Trusted Infrastructure as Attack Surface
What this campaign really represents is a maturation of the threat landscape. Attackers are no longer building their own infrastructure; it’s too expensive, too detectable, and too easily taken down. Instead, they’re renting trust from the platforms we’ve already decided to believe.
When your email filter sees a message from Google, it doesn’t see a threat. When your browser visits a Netlify page, it doesn’t see a threat. When your user opens a Google Drive PDF, they don’t see a threat.
The threat is the content. The threat is the intent. And detecting that requires a fundamentally different approach than checking whether the DKIM signature is valid.
This is the challenge that defines the next era of email security, and it’s one that organizations can’t afford to face with yesterday’s toolset.
What You Can Do Today
If you’re a business owner, IT administrator, or security decision-maker, here are three immediate actions worth taking:
Audit your DMARC policy. If you’re still at p=none (monitoring mode), you’re not protected. Move to p=quarantine or p=reject to prevent domain spoofing. Tools like GoDMARC make this transition visible and manageable.
Review your inbound email filtering capabilities. Confirm that your filters analyze link destinations and content behavior — not just sender authentication. Ask your vendor how they handle emails from trusted platforms carrying malicious payloads.
Train your teams on platform-abuse phishing. The era of obvious phishing, like bad grammar and suspicious senders, is over. Today’s attacks come from @google.com and link to Netlify. Your employees need to know that trusted logos and clean links are no longer proof of safety.
Final Thought
The 30,000 accounts compromised in this campaign weren’t victims of a technical failure. DMARC worked. SPF worked. DKIM worked. The failure was a gap in the overall strategy, a gap between authentication and trust intelligence.
Closing that gap is what modern email security is about. And it starts with recognizing that the most dangerous emails aren’t the ones that look suspicious.
They’re the ones that look exactly like they should.
