When Google Is the Phishing Infrastructure: Authenticated Credential Harvesting via Search Console

A phishing campaign leveraged Google’s own authenticated email pipeline and Search Console sign-in flows to harvest credentials: messages from [email protected] (sent via scoutcamp.bounces.google.com and Google IP 2607:f8b0:4864:20::f47) passed SPF/DKIM/DMARC and contained only links to Google domains (accounts.google.com, search.google.com, c.gle), evading gateway checks. Community intelligence and behavioral pattern matching flagged the campaign despite infrastructure-level legitimacy; the report lists specific indicators and recommends auditing Search Console access, treating unsolicited sign-in prompts as high risk, and using behavioral/community-based detection.