Phishing attacks are nothing new, but attackers keep finding smarter ways to stay one step ahead of security tools.
The latest campaign doing the rounds is a stark reminder that trust, especially the kind organizations place in big-name tech platforms, can be turned into a weapon.
Hackers are now hiding malicious links inside a chain of legitimate Google services, making it nearly impossible for automated email security systems to catch them before they land in someone’s inbox.
The campaign works by stacking multiple trusted Google domains inside a single link. When security tools scan the email, all they see are familiar, reputable Google addresses.
The hidden destination, the actual phishing page, stays completely out of sight until a real person clicks the link. That single gap between what a machine sees and what a human experiences is exactly what attackers are counting on.
Researchers at KnowBe4 ThreatLabs said in a report shared with Cyber Security News (CSN) that they are actively tracking this campaign and identified the triple-chain delivery method that makes it so effective at evading detection.
The technique stacks three Google services in sequence, Google Meet, Google Search Redirect, and Google Ad Service, to route victims to malicious destinations without raising any alarms along the way.
The lures used to draw victims in are designed to create urgency. Attackers craft emails that look like FedEx delivery updates, DocuSign and AutoSign document requests, Microsoft 365 password expiry alerts, fake payment remittances, and emails containing malicious QR codes.
PHISH ALERT: How Attackers Are Abusing Google Infrastructure for Phishing
KnowBe4 ThreatLabs is tracking an active phishing campaign that weaponizes a nested, triple-chain of Google services —Google Meet, Google Search Redirect, and Google Ad Service—to completely blindside… pic.twitter.com/EknxrJikgI— KB4ThreatLabs (@Kb4Threatlabs) May 26, 2026
Each lure is engineered to make the recipient feel immediate action is required. Once a victim clicks, the campaign takes one of two paths depending on the type of email received.
Some victims land on a convincing, pixel-perfect Microsoft 365 sign-in page that already has their email pre-filled, primed for credential theft.
Others are taken to a fake OneDrive shared document that shows a pre-generated Microsoft device code, which, if entered, hands attackers full access to the victim’s corporate account without ever needing their password.
Hackers Abuse Trusted Google Domains
The core of this attack lies in what researchers call the Nested Delivery Matrix. Attackers construct a URL that passes through three Google-owned domains before arriving at the attacker-controlled destination.
The chain looks like this: SafeLinks routes to meet.google.com/linkredirect, which passes to google.com/url, which then redirects through adservice.google.com.ph before finally landing on the malicious page.
Secure Email Gateways inspect each hop in this chain and find nothing suspicious because every domain they check belongs to Google. Reputation scores are clean across the board.
The scanner then considers the email safe and lets it through, never knowing the final destination is a phishing page waiting for an unsuspecting employee to click.
Credential Theft and Session Hijacking: The Two-Pronged Payload
When victims arrive at the phishing page, the attack splits into two distinct outcomes. The first is classic credential harvesting, where a fake M365 login page captures usernames and passwords directly.
What makes this especially dangerous is that the victim’s email address is already pre-populated on the page, giving it an air of legitimacy that lowers suspicion.
The second outcome is more sophisticated. Victims are shown a fake OneDrive document preview that includes a Microsoft device authentication code.
If the victim enters this code into a legitimate Microsoft login page, the attacker silently gains access to the corporate session. This method, known as device code phishing, requires no stolen password and can bypass multi-factor authentication entirely.
Security teams are urged to treat any email containing nested redirect chains, even those passing through trusted domains, with heightened scrutiny.
Organizations should train employees to verify links before clicking, watch for pre-populated login forms on unexpected sign-in pages, and report any suspicious device code prompts immediately.
Blocking unknown redirect patterns at the gateway level and enabling conditional access policies within Microsoft environments can also limit the damage this kind of attack can cause.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomainvazquezfleytas[.]comAttacker-controlled phishing domainDomainedificiocristal[.]ptAttacker-controlled phishing domainDomainvelvorra[.]comAttacker-controlled phishing domainDomainfurqanmustafa[.]comAttacker-controlled phishing domainDomainunitedtechnofzmlogies[.]vuAttacker-controlled phishing domainDomaincloudbemismanufacturingcompanygroup[.]rydezyhrsysteminc[.]vuAttacker-controlled phishing domainDomainservicetriumphgroupsimplyappraisals[.]spectrhwqumbrands[.]vuAttacker-controlled phishing domainDomaincloudgillettebrandberkshirehathaway[.]rtzcoekdrporation[.]vuAttacker-controlled phishing domainDomainodahlzr5lm[.]reliabilityinoperations[.]deAttacker-controlled phishing domainApp/Domainstaiwooje[.]appAttacker-controlled phishing endpointCloudflare Worker URLLink-form-unj9[.]p-sm7rw6ru[.]workers[.]devMalicious Cloudflare Workers delivery URLCloudflare Worker URLdata-cloud-ofe8[.]p-8yejy42o[.]workers[.]devMalicious Cloudflare Workers delivery URL
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways appeared first on Cyber Security News.
