A new report from Check Point has uncovered a major social engineering campaign in which hackers are leveraging Google Classroom to execute phishing attacks against students, educators, and a broad array of organizations worldwide. The campaign consisted of five coordinated attack waves, involving over 115,000 phishing emails sent to more than 13,500 different organizations. These emails often contained fake invitations advertising “commercial offers” such as SEO services or product pitches, in an attempt to lure recipients into engaging with malicious content.
What sets this campaign apart is the use of Google Classroom’s legitimate infrastructure to distribute phishing material. Because the attack relies on a trusted cloud-based educational platform, it is able to bypass traditional security software and email gateway filters more effectively than conventional phishing attempts. The tactic significantly increases the likelihood of the malicious emails reaching their intended targets without being flagged as suspicious.
Check Point researchers observed that the attackers employed multiple strategies to further disguise their campaign, including mimicking official Google communications and exploiting the trust users place in Google’s services. The incident highlights a broader trend in which cybercriminals adopt legitimate platforms to distribute phishing emails and social engineering content, making detection and prevention considerably more challenging.
To protect against such sophisticated attacks, Check Point recommends several key security measures. Organizations should implement multi-layered defenses, including ongoing user training and awareness programs to help staff and students identify phishing attempts. The use of AI-powered detection tools to analyze email and application content is also advised, extending security beyond conventional email and messaging protection. Continuous monitoring of cloud applications is critical due to the increasing exploitation of SaaS and legitimate cloud services by threat actors.
The attacks serve as a reminder that even platforms built for education and productivity can be repurposed by cybercriminals to distribute social engineering campaigns or malware. Preventive measures and vigilance remain essential to prevent human error—the usual entry point for phishing attacks—from resulting in broader organizational compromise.
