Beyond the Classroom: Phishing Campaign Exploits Google for Global Attack
An attack on Google Classroom has escalated into one of the largest phishing campaigns in recent months. According to Check Point, between August 6 and 12, attackers launched five coordinated waves of distribution, sending more than 115,000 emails to over 13,500 organizations worldwide. The targets included entities in education, healthcare, finance, and industry, with particular impact across Europe, North America, the Middle East, and Asia.
The distinctive element of this scheme lay in the exploitation of trust in Google Classroom’s infrastructure. The emails appeared as invitations to join virtual classes and formally originated from genuine Google domains, enabling them to bypass SPF, DKIM, and DMARC checks, as well as many corporate email security gateways. As a result, the campaign remained undetected for a prolonged period, successfully slipping past filtering mechanisms.
Instead of educational content, the messages contained unrelated offers—ranging from product reselling and website promotion to dubious investment schemes. Each included an invitation to continue communication via WhatsApp, diverting victims into an unmonitored channel and depriving organizations of the ability to track fraudulent activity.
From a technical perspective, the operation relied on the automated generation of invitations, likely executed through compromised accounts or API calls. This enabled attackers to scale their campaign rapidly without triggering an immediate response from Google’s systems. Notably, the emails contained no malicious code or attachments—the entire effort hinged on social engineering and psychological manipulation.
Organizations discovered that their established trust models with major providers worked against them. Traffic from Google is often whitelisted by default in monitoring systems, creating a significant blind spot in defenses. The attackers further staggered their email waves to mimic natural activity peaks, thereby avoiding spam detection thresholds.
Check Point warns that the attack could have broader implications for the Google Workspace ecosystem, given Classroom’s integration with other services. Successful deception of users could open pathways into corporate networks and facilitate further intrusions. Researchers also note connections between such campaigns and affiliated fraud networks linked to business email compromise (BEC).
As protective measures, companies are urged to enforce multi-factor authentication for Google services, implement additional layers of validation for invitations, and train staff to recognize suspicious messages. The absence of malicious code, researchers emphasize, does not lessen the campaign’s danger, as its potency stemmed from psychological manipulation and the abuse of a trusted platform as a Trojan horse.
At the time of Check Point’s report, residual waves of phishing activity were still being observed. Organizations are therefore advised to review their email logs for signs of compromise, including suspicious WhatsApp numbers and unusual Google Classroom invitations. This campaign vividly demonstrates how swiftly adversaries adapt and weaponize legitimate services for attacks on a global scale.
