A sophisticated phishing campaign is exploiting Google Cloud Storage (GCS) to host malicious redirect links, enabling it to bypass standard email security filters. By leveraging a legitimate Google-owned domain, attackers are making fraudulent emails appear trustworthy, allowing them to reach unsuspecting victims without triggering immediate alarms. This campaign, first detected in early March 2026, has seen a significant volume of phishing emails all directing to the same destination, indicating a coordinated operation.
Security researchers have observed over 25 distinct phishing emails targeting a single user account, all leading to URLs hosted on storage.googleapis.com. The consistency of these destinations, despite the varied themes of the emails, points to a centrally controlled cloud infrastructure. A threat hunter and malware analyst identified the scope of this campaign by meticulously monitoring inboxes and analyzing SMTP headers. Investigations traced each phishing attempt back to a single GCS bucket named “whilewait,” which contained a file named comessuccess.html,