Phishing in the Classroom! 115,000 emails targeted 13,500 organizations with Google Classroom.

Check Point researchers have discovered a large-scale active phishing campaign exploiting Google Classroom, a platform trusted by millions of students and educators worldwide.

Over the course of a single week, attackers launched five coordinated waves, distributing more than 115,000 phishing emails targeting 13,500 organizations across various industries. Organizations in Europe, North America, the Middle East, and Asia were targeted.

A trusted tool transformed into a threat vector

Google Classroom is designed to connect teachers and students through invitations to join virtual classes. Attackers exploited this trust by sending fake invitations containing unrelated commercial offers, ranging from product resale to SEO services.

Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.

The scam works because Security systems tend to trust messages from legitimate Google services. By exploiting Google Classroom’s infrastructure, attackers were able to bypass some traditional security layers, attempting to reach the email inboxes of over 13,500 companies before defenses were activated.

Anatomy of the Campaign

• Scale: 115,000 phishing emails sent between August 6 and 12, 2025.
• Targets: 13,500 organizations worldwide, across a variety of industries.
• Decoy: Fake Google Classroom invitations containing offers unrelated to education.
• Call to action: A WhatsApp phone number, designed to move the conversation away from email and corporate tracking.
• Delivery method: Five main waves, each of which exploited the legitimacy of Google Classroom to evade filters.

How Check Point Blocked the Attack

Despite the attackers’ sophisticated use of trusted infrastructure, Check Point Harmony Email & Collaboration‘s SmartPhish technology automatically detected and blocked most phishing attempts. Additional layers of security prevented the remaining messages from reaching end users.

This incident underscores the importance of layered defenses. Attackers are increasingly using legitimate cloud services, making traditional email gateways insufficient to block ever-evolving phishing tactics.

What organizations should do

• Educate: Train users, students, and employees to treat unexpected invitations (even those from familiar platforms) with caution.
• Advanced phishing prevention Threats: Use AI-powered detection that analyzes context and intent, not just sender reputation.
• Monitor cloud applications: Extend phishing protection beyond email to collaboration apps, messaging platforms, and SaaS services.
• Defend against social engineering: Be aware that attackers are increasingly pushing victims to communicate outside of “official” channels (like WhatsApp) to evade corporate controls.

Attackers continue to find creative ways to exploit legitimate services like Google Classroom to gain trust, bypass defenses, and achieve large-scale goals. With over 115,000 emails in just one week, this campaign highlights the ease with which cybercriminals can weaponize digital platforms for fraud.

Recognized as a Leader and Outperformer in the 2025 GigaOm Radar for Anti-Phishing, Check Point Harmony Email & Collaboration provides the advanced, layered defense needed to protect organizations from phishing attacks, even when they hide in plain sight.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.