I’ve been analyzing a phishing campaign that abuses Google Cloud Storage (storage.googleapis.com) as a redirect layer to send victims to multiple scam pages hosted mostly on .autos domains.

The phishing themes include fake Walmart surveys, Dell giveaways, Netflix rewards, antivirus renewal alerts, storage full warnings, and fake job lures.

I have documented a campaign consisting of more 25 distinct phishing variants that all converge on a single Google Cloud Storage (GCS) infrastructure point.

Core Infrastructure:

1. Primary Host: storage/.googleapis/.com
2. Bucket/Object: /whilewait/comessuccess.html

Analysis Highlights:

Evasion Strategy: The campaign utilizes the inherent trust of the googleapis/.com domain to bypass SPF/DKIM-based reputation filters and secure email gateways (SEGs).

Lure Variance: Social engineering hooks include Scareware (Storage Full/Threat Detected), Retail Rewards (Lowe's/T-Mobile), and Lifestyle/Medical lures.

Redirect Logic: The comessuccess.html file serves as a centralized gatekeeper, redirecting traffic to secondary domains designed for Credit Card (CC) harvesting via fraudulent subscriptions.