Thought Leadership
Security researchers from Check Point have discovered an active phishing campaign that uses Google Classroom as a gateway. Within a week, the attackers sent over 115,000 fraudulent emails.
Cyber criminals are abusing the Google Classroom education platform for large-scale phishing attacks. This was reported by Check Point Software Technologies in a recent analysis. The campaign documented between 6 and 12 August 2025 comprised five coordinated waves of attacks with a total of more than 115,000 fraudulent emails sent to 13,500 organizations worldwide.
Attack mechanism exploits Google trust
The attackers use the legitimate invitation function of Google Classroom to send fake course invitations. Instead of educational content, these contain commercial offers – from product sales to SEO services. The fraudsters use a WhatsApp number as the contact method.
The trick works because email security systems often classify messages from Google services as trustworthy and filter them less strictly accordingly. Exploiting the Google infrastructure enables attackers to bypass conventional spam filters.
Five waves of attacks within a week
Check Point’s Threat Intelligence documented the following campaign structure:
- Period: August 6 to 12, 2025
- Waves of attack: Five coordinated broadcasts
- Volume: 115,000 phishing e-mails
- Targets: 13,500 organizations worldwide
- Regions: Europe, North America, Middle East, Asia
- Bait: Fake classroom invitations with promotional offers
Recommended protective measures
To defend against similar attacks, the security experts recommend a combination of technical and organizational measures. On a technical level, organizations should implement advanced email security solutions with AI-based content analysis that go beyond pure sender reputation. In addition, cloud app security for SaaS platforms such as Google Workspace is required to monitor legitimate services for misuse. The monitoring of collaboration tools should be extended beyond traditional email traffic.
From an organizational perspective, security awareness training is crucial to sensitize employees to unexpected service invitations. Companies should develop clear guidelines for off-channel communication via services such as WhatsApp or Telegram and establish incident response procedures specifically for cloud-based attacks.
Assessment of the security experts
“The campaign demonstrates how attackers systematically exploit trust in established cloud services,” explains David Meister, Global Head of MSSP at Check Point Software Technologies. “Organizations must align their security architecture with such trust-based attack vectors.”
Google Classroom as a target
According to the company, Google Classroom has over 150 million active users worldwide. The platform, which has grown significantly during the coronavirus pandemic, is mainly used in the education sector, but is also used by companies for internal training.
The high level of user acceptance and trust in the Google brand make the service an attractive target for social engineering. Check Point warns of a possible expansion of the attack methodology to other Google services.
(lb/Check Point)
