Hackers Abuse Google Domains to Hide Phishing From Email Gate

Phishing remains a persistent threat, with attackers continually evolving their tactics to bypass conventional security tools.

The latest campaign doing the rounds is a stark reminder that trust, especially the kind organizations place in big-name tech platforms, can be turned into a weapon.

Hackers are now hiding malicious links inside a chain of legitimate Google services, making it nearly impossible for automated email security systems to catch them before they land in someone’s inbox.

The campaign works by stacking multiple trusted Google domains inside a single link. When security tools scan the email, all they see are familiar, reputable Google addresses.

The hidden destination, the actual phishing page, stays completely out of sight until a real person clicks the link. That single gap between what a machine sees and what a human experiences is exactly what attackers are counting on.

Researchers at KnowBe4 ThreatLabs said in a report shared with Cyber Security News (CSN) that they are actively tracking this campaign and identified the triple-chain delivery method that makes it so effective at evading detection.

The technique stacks three Google services in sequence, Google Meet, Google Search Redirect, and Google Ad Service, to route victims to malicious destinations without raising any alarms along the way.

The lures used to draw victims in are designed to create urgency. Attackers craft emails that look like FedEx delivery updates, DocuSign and AutoSign document requests, Microsoft 365 password expiry alerts, fake payment remittances, and emails containing malicious QR codes.

Each lure is engineered to make the recipient feel immediate action is required. Once a victim clicks, the campaign takes one of two paths depending on the type of email received.

Some victims land on a convincing, pixel-perfect Microsoft 365 sign-in page that already has their email pre-filled, primed for credential theft.

Others are taken to a fake OneDrive shared document that shows a pre-generated Microsoft device code, which, if entered, hands attackers full access to the victim’s corporate account without ever needing their password.

Hackers Abuse Trusted Google Domains

The core of this attack lies in what researchers call the Nested Delivery Matrix. Attackers construct a URL that passes through three Google-owned domains before arriving at the attacker-controlled destination.

The chain looks like this: SafeLinks routes to meet.google.com/linkredirect, which passes to google.com/url, which then redirects through adservice.google.com.ph before finally landing on the malicious page.

Secure Email Gateways inspect each hop in this chain and find nothing suspicious because every domain they check belongs to Google. Reputation scores are clean across the board.

The scanner then considers the email safe and lets it through, never knowing the final destination is a phishing page waiting for an unsuspecting employee to click.

Credential Theft and Session Hijacking: The Two-Pronged Payload

When victims arrive at the phishing page, the attack splits into two distinct outcomes. The first is classic credential harvesting, where a fake M365 login page captures usernames and passwords directly.

What makes this especially dangerous is that the victim’s email address is already pre-populated on the page, giving it an air of legitimacy that lowers suspicion.

The second outcome is more sophisticated. Victims are shown a fake OneDrive document preview that includes a Microsoft device authentication code.

If the victim enters this code into a legitimate Microsoft login page, the attacker silently gains access to the corporate session. This method, known as device code phishing, requires no stolen password and can bypass multi-factor authentication entirely.

Security teams are urged to treat any email containing nested redirect chains, even those passing through trusted domains, with heightened scrutiny.

Organizations should train employees to verify links before clicking, watch for pre-populated login forms on unexpected sign-in pages, and report any suspicious device code prompts immediately.

Blocking unknown redirect patterns at the gateway level and enabling conditional access policies within Microsoft environments can also limit the damage this kind of attack can cause.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.