Hackers Use Free Firebase Accounts for Phishing Emails

A significant shift in cybercrime tactics sees attackers increasingly ‘living off the cloud,’ a strategy that allows them to bypass traditional security perimeters.

By exploiting the infrastructure of trusted service providers, attackers can effectively cloak their malicious activities, making detection significantly more difficult for both automated defense systems and human observers in the corporate environment.

This trend has recently escalated with a sophisticated campaign where threat actors leverage free Firebase developer accounts to facilitate their attacks.

Firebase, a widely used mobile and web application development platform, offers a complimentary tier that allows users to host content and deploy applications.

Hackers are capitalizing on this feature to host convincing phishing pages that mimic the login portals of popular brands, weaponizing the platform’s legitimacy.

Unit 42 analysts identified this malicious activity in early February 2026, observing a distinct surge in phishing campaigns utilizing these exploited developer accounts.

Their research highlights that the attackers are employing high-pressure tactics to manipulate victims.

Common lures include sending urgent alerts regarding fraudulent account usage or enticing users with offers of free, high-value items, designed to provoke an immediate and unthinking response from the target.

The effectiveness of these campaigns is largely due to the inherent trust users and security systems place in the hosting domain.

Since the phishing links reside on valid subdomains of firebaseapp.com or web.app, they frequently bypass email security gateways that whitelist Google-affiliated infrastructure.

This high delivery rate, combined with the visual authenticity of the hosted pages, leads to a significant increase in successful credential theft.

Detection Evasion Through Domain Reputation

A defining characteristic of this operation is its reliance on “reputation hijacking” to circumvent standard detection protocols.

Traditional security filters primarily analyze the age and reputation of a domain to verify its legitimacy.

By hosting phishing content on Firebase, attackers inherit the positive reputation of the Google-hosted domain, effectively neutralizing domain-based blocking mechanisms that would typically flag unknown sites.

Furthermore, the cost-free nature of these accounts allows for rapid proliferation and persistence.

If a specific malicious project is flagged and suspended, the attackers can instantaneously provision a new instance with a different name.

This ephemeral nature of the infrastructure creates a challenging environment for defenders, as the underlying hosting service remains trusted and legitimate while the specific malicious subdomains constantly shift, rendering static blocklists ineffective against the threat.

Organizations should enhance their defensive posture by implementing strict inspection of URL destinations, including those hosted on known cloud provider domains.

Security teams are advised to monitor for unusual traffic patterns to generic cloud subdomains and educate employees on verifying the full URL path before entering credentials or sensitive data.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.