The Integrity360 Security Operations Center (SOC) has recently identified and analyzed an advanced phishing campaign leveraging legitimate Google redirect URLs, specifically domains such as share.google, to conceal the final destination of malicious links and significantly increase the likelihood of user interaction.

This activity aligns with a broader, well-documented global trend observed by multiple cybersecurity research organizations and threat intelligence vendors, highlighting the growing abuse of Google redirect mechanisms as an evasion and social engineering technique. The findings from the Integrity360 SOC are fully consistent with publicly reported research and confirm that these campaigns have remained active and evolving from late 2025 through early 2026.

Initial Observations by the Integrity360 SOC

During routine monitoring and incident response activities, the Integrity360 SOC detected an increase in phishing emails flagged by Microsoft Defender containing URLs with the following characteristics:

- URLs beginning with https://share.google/
- URL paths composed of seemingly random alphanumeric strings
- No obvious malicious indicators in the initial portion of the URL
- Redirection to external, non-Google domains

A representative example observed was:

https://share.google/WZVPCOYZZLbKAmFeF

At first glance, such links appear legitimate to end users due to the inherent trust associated with the Google brand. However, dynamic analysis confirmed that these URLs function as redirectors, forwarding users to external and potentially malicious destinations.

Redirect Behavior and Evasion Techniques

Sandbox analysis conducted by the Integrity360 SOC revealed that the final redirect destination is not static. Instead, it may vary based on several factors, including user agent, browsing context, and environmental attributes. In some cases, sandbox environments were redirected to benign or random websites, while real users were directed to active phishing pages.

This behavior is consistent with advanced sandbox evasion techniques designed to bypass automated detection, URL reputation systems, and secure email gateway link analysis.

Self-Spoofed Emails and Abuse of Google Infrastructure

Another notable characteristic identified during the investigation was the apparent sender of the phishing emails. In multiple cases, the emails appeared to originate from the recipient’s own personal Gmail account and were delivered to their corporate email address.

This technique, commonly referred to as self-spoofing or replay phishing, exploits user trust and familiarity, significantly increasing the credibility of the message and reducing user suspicion. By leveraging legitimate Google infrastructure, these emails may bypass basic trust and authentication checks.

Alignment with Publicly Documented Campaigns

The techniques observed by the Integrity360 SOC closely mirror those documented by multiple cybersecurity researchers and vendors. Public research has consistently shown that attackers abuse various Google redirect mechanisms, including share.google, google.com/url, google.sm, Google AMP, Google Translate, and Google Maps, to obscure malicious destinations and bypass security controls.

Attackers frequently rotate domains, paths, and parameters to evade static detection rules, relying on the high reputation of Google-owned domains that are often implicitly trusted or allow-listed within enterprise environments.

Business Impact

These phishing techniques present a significant risk to organizations for several reasons. Trusted Google domains reduce user skepticism, static URL filtering becomes ineffective, sandbox environments may fail to observe the true malicious behavior, and self-spoofed emails drastically lower user vigilance.

Organizations relying primarily on domain reputation or static link inspection are particularly vulnerable to these campaigns.

Security Recommendations

Based on the findings, the Integrity360 SOC recommends a layered defense approach. Email authentication controls should include strict DMARC enforcement set to quarantine or reject, tight SPF alignment, and mandatory DKIM signing for outbound email to reduce the effectiveness of spoofing and replay attacks.

Web security controls should be configured to analyze redirect chains and block scenarios where trusted domains redirect to untrusted destinations. Security teams should avoid relying solely on the initial domain when assessing link safety.

User awareness remains critical. Users should be educated that Google-branded links are not inherently safe, emails appearing to come from themselves should be treated with caution, and redirect links may conceal phishing pages.

Conclusion

The Integrity360 SOC analysis confirms that Google redirect abuse represents one of the most effective and persistent phishing techniques currently in use. By combining trusted infrastructure, dynamic redirection, and sophisticated social engineering, attackers are able to bypass both technical controls and human defenses.

This threat landscape reinforces the need for multi-layered security controls, behavioral analysis, continuous user education, and up-to-date threat intelligence. The Integrity360 SOC continues to actively monitor these campaigns and support customers in identifying, mitigating, and responding to this evolving threat.