Three Google Domains, One Redirect Chain, and a Turkish Landing Page

A high-severity phishing sample delivered via Amazon SES injected a forged “Revise Now” CTA into a legitimate-looking forwarded thread from a UK financial firm; the CTA used a four-hop redirect chain that passed through three Google-owned redirect domains before resolving to an unrelated Turkish domain (mgokurumsal.com.tr). The report highlights template-injection to borrow credibility, how multi-hop trusted redirects evade link scanners, full SES authentication despite first-time sender risk, provides IoCs (sending domain, redirect hops, final destination, invoice reference), and maps the attack to MITRE techniques for phishing, malicious links, and masquerading.