Phishers are abusing Google Cloud signed URLs to slip past security scanners.
On June 10, researchers detailed a phishing operation that stitches together thousands of servers to host copied New York Times articles. The attackers generate Google Cloud Storage signed URLs that appear to be harmless links, then embed them in malicious emails. When a security scanner follows the URL, it sees legitimate content and marks the message safe, allowing the payload to reach the recipient’s inbox.
The trick matters because it defeats one of the few automated defenses most organizations rely on. By using trusted cloud infrastructure, the campaign sidesteps reputation‑based blocks and makes takedown efforts harder, forcing defenders to inspect content more closely.
Until scanners learn to verify the final destination of signed URLs, this strategy will likely stay a step ahead of most inbox protections.