Earlier this year, Kaspersky reported a phishing technique that reflects a familiar pattern in modern cyberattacks: abusing trusted platforms to bypass traditional security controls. In this case, attackers are leveraging Google Tasks notifications to deliver malicious links, effectively disguising phishing attempts as legitimate workplace activity.
The method itself is deceptively simple, but highly effective. Victims receive what appears to be a genuine notification from an @google.com address, informing them that “you have a new task.” Because the message originates from a trusted source, it immediately lowers suspicion. The attackers rely on this implicit trust, creating the impression that the organisation has adopted Google’s task management tool and that the recipient is required to act.
The task typically carries a sense of urgency, marked as high priority and accompanied by a tight deadline leaving little room for critical thinking. Once the user clicks the embedded link, they are redirected to a fraudulent page designed to resemble a legitimate corporate form. Here, they are prompted to enter their credentials under the pretext of “employee verification.” In reality, this is the core objective of the attack: harvesting corporate login details.
What makes this campaign particularly notable is the strategic abuse of trusted infrastructure. As observed in similar attacks involving platforms like Microsoft SharePoint and other third-party services, threat actors consistently exploit reputable systems as intermediaries to evade detection.
From a defensive standpoint, the issue extends beyond a single service or phishing variant. It highlights a deeper organisational challenge: the need for a well-defined and consistently enforced cybersecurity culture. Employees must clearly understand which tools are officially sanctioned and how legitimate communications are delivered. Without this clarity, even well-trained staff can be caught off guard.
One practical approach is maintaining a centrally accessible register of approved corporate tools, including ownership and usage context. This creates a simple but effective verification mechanism for employees when they encounter unexpected requests. Alongside this, organisations must reinforce a fundamental rule that corporate credentials should only ever be entered into verified internal systems, never through unsolicited links or external forms.
Training also plays a critical role. Continuous awareness programmes help employees recognise common phishing indicators, such as urgency cues, unfamiliar workflows, or unexpected credential requests.
Finally, technical controls remain essential. Reducing exposure through secure email gateways, combined with endpoint protection on all web-connected devices, provides a necessary safety net. Even when human judgement is bypassed, these controls can block access to malicious sites and prevent credential compromise.
At its core, this campaign reinforces that attackers no longer need to break systems but they simply borrow trust.