Why is Google Workspace targeted by phishing attackers?

Google Workspace is the second-most-deployed productivity suite in the enterprise after Microsoft 365 - and like M365, it sits at the center of corporate identity for the organizations that use it. A compromised Workspace credential gives attackers Gmail, Drive, Calendar, Meet and often a path into Google Cloud Platform (GCP) itself. Attackers follow user volume and identity-blast-radius; Workspace ranks high on both dimensions.

How does OAuth consent phishing work in Google Workspace?

An attacker registers an OAuth client in Google Cloud Console under their own project, requests permissive scopes (gmail.readonly, drive.readonly, etc.), and sends a victim a link that triggers Google's consent screen for that app. The user clicks 'Allow' on what looks like a legitimate Google permission prompt - which it is, since Google is rendering the consent flow. The user never types a password and MFA never prompts. The attacker has refresh tokens that work until explicit revocation. Google's own infrastructure brokers the attack, which is what makes it so hard for users to recognize.

What is an AiTM phishing attack against Google Workspace?

Adversary-in-the-Middle phishing uses a reverse-proxy site between the user and the real accounts.google.com sign-in. The user enters credentials and completes Google's MFA challenge on the proxy; the proxy relays the conversation to Google in real time, captures the session cookie and forwards it to the attacker. The attacker imports the cookie and is logged in as the user - bypassing standard MFA entirely. Phishing-resistant MFA (Titan Security Keys, passkeys, FIDO2) defeats this attack because the cryptographic challenge is bound to the legitimate origin.

What are Google Drive share-link phishing attacks?

An attacker shares a malicious Google Doc or Sheet from a sock-puppet account directly to a target's Workspace inbox. The notification arrives as a legitimate Google share email (because it is a real Google share) - bypassing email gateway filtering on sender domain. The document body links to an external phishing site. Because the share notification is from google.com, users trust it and click through with less scrutiny. Defense requires user training and admin-side restrictions on external-to-internal sharing.

Does Google Voice phishing differ from regular vishing?

Google Voice is increasingly used by attackers for vishing because Voice numbers are free, easy to spoof rotation through and can be obtained without traditional KYC. Some attackers send SMS phishing (smishing) from Voice numbers because the number format looks plausible and SMS gateways do not flag Voice the same way they flag known-bad VoIP carriers. The defense pattern is the same as general vishing - callback verification, code-words, voice-channel simulation training.

How should phishing simulation training address Google Workspace specifically?

Three things: (1) include cloned Google sign-in templates (accounts.google.com clones) in the simulation library - easy/regular/hard difficulty tiers. (2) train explicitly on the OAuth consent screen - what 'Allow' means in a Google context, what scopes are sensitive, when to escalate to IT. (3) include Drive-share notification lures and Google Voice-format SMS lures in multi-channel campaigns. The program shape mirrors M365 phishing simulation, but with Workspace-specific lure templates.

Google Workspace Phishing Attacks: Defense Guide for IT Teams

Google Workspace Phishing Attacks: A Defense Guide for IT Teams

By The Bait & Phish Team
Google Workspace, OAuth, Identity

Google Workspace is the second-most-deployed productivity suite in the enterprise after Microsoft 365 - and like M365, it sits at the center of corporate identity for the organizations that use it. A compromised Workspace credential opens Gmail, Drive, Calendar, Meet and often a path into Google Cloud Platform itself. Attackers follow identity blast radius; Workspace gives them plenty.

This post is the Workspace counterpart to our Microsoft 365 phishing defense guide. The attack patterns rhyme - fake sign-in clones, OAuth consent abuse, AiTM proxies, in-product share lures, voice-channel phishing - but the Google-specific implementation details matter. Defenders who treat M365 and Workspace defense as identical leave gaps.

The five Workspace-specific attack patterns

1. Cloned accounts.google.com sign-in

The classic. An email or Drive notification directs the user to a page styled to look like the standard Google sign-in. The user enters credentials. The page either captures and replays an error, or forwards to the real Google sign-in afterward. Defense: simulation training that includes Google-styled fake sign-in templates teaches employees to check the URL bar before entering credentials.

2. OAuth consent phishing (the Google-flavored version)

OAuth consent phishing is the most dangerous pattern because standard MFA does not stop it.

The attacker registers an OAuth client in their own Google Cloud Console project. They request scopes like gmail.readonly, drive.readonly, or worse - gmail.modify or drive.file. They send a target a link that triggers the Google consent screen for that app: "App XYZ is requesting access to your Gmail and Drive. Allow / Cancel."

The user clicks Allow because Google is brokering the prompt - it looks legitimate because it is. The user never enters a password. MFA never prompts. The attacker has long-lived refresh tokens.

Google has tightened this surface in recent years (unverified-app warning screens, mandatory verification for sensitive scopes, the "App access control" admin policy in Workspace), but consent phishing remains active because attackers ladder up through verified-app status or use small scope footprints to stay below verification triggers. Defense at the user level: training on what the consent screen actually means. Defense at the admin level: the Workspace admin "Access to less secure apps" + "App access control" + "Trust internal apps" policies, locked down.

3. AiTM (Adversary-in-the-Middle) reverse-proxy phishing

AiTM works against Google Workspace identical to its M365 counterpart. The attacker stands up a reverse-proxy site (Evilginx, Caffeine or similar) that sits between the user and accounts.google.com. The user enters credentials and completes Google's MFA on the proxy in real time; the proxy harvests the resulting session cookie. The attacker imports the cookie and is logged in as the user.

Standard MFA - push prompt, TOTP, SMS - does not stop AiTM. Phishing-resistant MFA does: Titan Security Keys, platform passkeys, FIDO2 hardware tokens. The cryptographic challenge is bound to accounts.google.com; a proxy on a different origin cannot complete it. The Workspace admin posture: roll out hardware keys for high-privilege accounts first (admins, finance, executives), expand from there.

4. Drive share-link phishing

An attacker shares a malicious Google Doc or Sheet from a sock-puppet Workspace account or a free Gmail account directly into a target's inbox. The notification email is from noreply@google.com - because it is a real Google share notification - and the email gateway scores it as low-risk. The shared document body contains a link to an external phishing site disguised as a "click to view" or "request access" prompt.

Two things make this pattern dangerous. First, users have been trained to trust google.com sender. Second, link-checking tools that scan email links don't follow into the document body. Defense: user training that includes "the lure can come from inside Google's own infrastructure," plus admin-side restriction on external-to-internal Drive sharing where business-justified.

5. Google Voice and Voice-formatted SMS phishing

Google Voice numbers are free, easy to obtain and rotate - making them an attractive smishing platform for attackers who want plausible-looking US-format numbers without traditional carrier KYC. SMS gateways score Voice numbers less aggressively than known-bad VoIP carriers, so smishing from Voice has higher inbox-arrival rates.

Voice-channel vishing also works against Workspace identity by impersonating "Google Security Team" or IT-helpdesk callbacks asking the user to confirm an MFA prompt. Defense: callback verification, code-words for inbound IT calls and voice-channel simulation training. See our deepfake vishing defense guide for the broader vishing program model.

Where MFA helps and where it does not

The same caveat applies to Workspace as to M365: standard MFA stops password-only credential theft from the classic clone-page pattern. Standard MFA does not stop consent phishing (no password is involved) or AiTM (the proxy completes MFA in real time). Phishing-resistant MFA - FIDO2, Titan keys, platform passkeys - defeats both.

Practical recommendation for Workspace: enroll high-privilege accounts in 2-step verification with hardware keys (the "Advanced Protection Program" for the most sensitive); enforce hardware keys for admin accounts at minimum; track the rollout in your phishing-program metrics.

Program design for Workspace-heavy organizations

Template mix: Google-themed templates should be at least 25% of your campaigns if you are Workspace-only, or proportional to your user mix if you run both M365 and Workspace. Cover the five patterns (sign-in clone, consent prompt, AiTM, Drive share, Voice/SMS) - not just one.
Multi-channel: include SMS phishing in your campaign rotation. Voice-channel simulation campaigns add another layer for the Workspace user base most exposed to Google Voice phishing.
Auto-assigned remediation: the training module that fires when a user clicks should be specific to the attack category. A user who fell for a consent phish needs to learn what OAuth scopes mean; a user who fell for an AiTM lure needs to learn URL-bar checking. Behavior-triggered just-in-time learning is what makes this scale.
Reporting that names the categories: the executive packet should track click rate per Workspace-attack-category. Boards and cyber insurers will increasingly ask: "do your users still fall for Google consent phish?"

For cyber insurance and compliance buyers

Cyber insurance carriers in 2026 ask about phishing simulation programs in renewal applications, and increasingly ask whether the program reflects the organization's actual identity stack. If you are Workspace-only and your program runs only Microsoft-themed templates, that mismatch is now a finding. The cyber insurer renewal walkthrough details the question set; the short version is that program-substance-matches-environment is increasingly a premium-adjustment factor.

SOC 2 and HIPAA auditors are starting to read program evidence the same way - security awareness should reflect where users actually live.

Where Bait & Phish fits

Bait & Phish ships with cloned Google sign-in templates, Gmail- and Drive-styled lures and Workspace-themed phishing templates across the easy / regular / hard difficulty tiers. Multi-channel coverage means you can run Workspace-themed campaigns on email, SMS and voice in the same program. Auto-assigned training fires the moment a user clicks. Start a free trial up to 25 users and run a Workspace-themed campaign in your environment, or contact us if you want to walk through the Workspace-specific template set.

This post is informational. Specific Workspace admin-policy decisions (App access control, Advanced Protection Program enrollment, Drive sharing restrictions) are organization-specific - consult your identity team or Google Workspace partner for tailored guidance.

See also: Phishing Trends 2026 - annual roundup covering AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression and other patterns that defined the year.

15jan