A recent investigation by Check Point Research shows how attackers are increasingly relying on legitimate cloud services to circumvent existing security barriers. The criminals' target this time was Google Classroom - a service that is actually used for digital collaboration between teachers and students and is used by millions of people worldwide.

Between August 6 and 12, 2025, a total of around 115,000 phishing emails were sent in five coordinated waves of attacks. More than 13,500 organizations from Europe, North America, the Middle East and Asia were affected. The emails imitated invitations to digital classrooms, but contained content that had nothing to do with education. Instead, recipients were lured with offers such as product reselling or SEO services. All messages led to a WhatsApp contact number - a common means of diverting communication away from companies' secure email systems.

Example of a phishing email offering a consulting service for SEO optimization. © Check Point Software Technologies Ltd.

According to the security researchers, the attackers specifically exploited the fact that many email security solutions classify messages from Google services as trustworthy by default. This allowed the fraudulent invitations to bypass numerous defense mechanisms. "Attackers continue to find creative ways to exploit legitimate services like Google Classroom to gain trust, bypass defenses and reach targets on a large scale. With over 115,000 emails in just one week, this campaign shows how easily cybercriminals can abuse digital platforms to commit fraud," said Check Point experts.

Although a significant proportion of the messages successfully bypassed firewalls and gateways, most attempts were blocked by additional security layers, according to Check Point. Among other things, the company's own SmartPhish detection technology was used, which not only analyzes sender addresses, but also the context and intentions of the message.

The researchers emphasize that traditional email gateways are increasingly reaching their limits. As attackers use services such as Google, Microsoft 365 or Dropbox, they can create the appearance of legitimate communication and thus gain access to protected mailboxes. In addition to technical protection mechanisms, employee training is therefore also crucial.

Several measures are recommended:

• Raising awareness: Employees should always check unexpected invitations and links critically, even if they come from known platforms.
• Enhanced protection: AI-supported security solutions that analyze context and content increase the chances of detecting attacks at an early stage.
• Cross-platform monitoring: Companies should include not only email traffic, but also collaboration and messaging tools in their defense strategies.
• Awareness of social engineering: Criminals are increasingly turning to channels such as WhatsApp to circumvent company guidelines.

The scale of the campaign shows just how quickly cyber criminals are able to repurpose legitimate platforms and exploit trust in digital services. According to the researchers, organizations from various sectors were affected, from educational institutions to industrial companies and service providers.