Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways
Attackers are chaining Google Meet, Search Redirect, and Ad Service domains in a 'Nested Delivery Matrix' to bypass email security and steal Microsoft 365 credentials.
Phishing attacks are nothing new, but attackers keep finding smarter ways to stay one step ahead of security tools. The latest campaign doing the rounds is a stark reminder that trust, especially the kind organizations place in big-name tech platforms, can be turned into a weapon. Hackers are now hiding malicious links inside a chain of legitimate Google services, making it nearly impossible for automated email security systems to catch them before they land in someone's inbox.
The campaign works by stacking multiple trusted Google domains inside a single link. When security tools scan the email, all they see are familiar, reputable Google addresses. The hidden destination, the actual phishing page, stays completely out of sight until a real person clicks the link. That single gap between what a machine sees and what a human experiences is exactly what attackers are counting on.
Researchers at KnowBe4 ThreatLabs said in a report shared with Cyber Security News that they are actively tracking this campaign and identified the triple-chain delivery method that makes it so effective at evading detection. The technique stacks three Google services in sequence: Google Meet, Google Search Redirect, and Google Ad Service, to route victims to malicious destinations without raising any alarms along the way.
The lures used to draw victims in are designed to create urgency. Attackers craft emails that look like FedEx delivery updates, DocuSign and AutoSign document requests, Microsoft 365 password expiry alerts, fake payment remittances, and emails containing malicious QR codes. Each lure is engineered to make the recipient feel immediate action is required.
Once a victim clicks, the campaign takes one of two paths depending on the type of email received. Some victims land on a convincing, pixel-perfect Microsoft 365 sign-in page that already has their email pre-filled, primed for credential theft. Others are taken to a fake OneDrive shared document that shows a pre-generated Microsoft device code, which, if entered, hands attackers full access to the victim's corporate account without ever needing their password.
The core of this attack lies in what researchers call the Nested Delivery Matrix. Attackers construct a URL that passes through three Google-owned domains before arriving at the attacker-controlled destination. The chain looks like this: SafeLinks routes to meet.google.com/linkredirect, which passes to google.com/url, which then redirects through adservice.google.com.ph before finally landing on the malicious page. Secure Email Gateways inspect each hop in this chain and find nothing suspicious because every domain they check belongs to Google. Reputation scores are clean across the board. The scanner then considers the email safe and lets it through, never knowing the final destination is a phishing page waiting for an unsuspecting employee to click.
Security teams are urged to treat any email containing nested redirect chains, even those passing through trusted domains, with heightened scrutiny. Organizations should train employees to verify links before clicking, watch for pre-populated login forms on unexpected sign-in pages, and report any suspicious device code prompts immediately. Blocking unknown redirect patterns at the gateway level and enabling conditional access policies within Microsoft environments can also limit the damage this kind of attack can cause.