Cybercriminals Use Firebase Developer Accounts to Distribute Phishing Emails

A new wave of phishing campaigns where attackers are abusing legitimate Google infrastructure to target victims.

Scammers are leveraging free developer accounts on Google Firebase to send fraudulent emails that effectively bypass traditional security filters.

How the Attack Works

Google Firebase is a widely used platform for building mobile and web applications. It offers a “free tier” that allows developers to test code and host small projects without cost.

Cybercriminals are now registering these free accounts to host phishing content and send emails, as reported by PaloAlto Network.

Because the emails originate from subdomains ending in firebaseapp.com a domain associated with Google’s reputable infrastructure they possess a high domain reputation.

This allows the malicious emails to slip past spam blocklists and land directly in the victim’s primary inbox.

The campaign relies on two primary psychological triggers to manipulate victims: fear and greed.

1. Scare Tactics: Many of the identified emails impersonate popular brands or financial institutions. They send urgent alerts regarding “fraudulent account use,” pressuring the victim to click a link immediately to resolve a non-existent security issue.
2. High-Value Lures: Conversely, other emails entice users with promises of free, high-value items or exclusive giveaways. These are designed to steal sensitive data, such as credit card numbers or login credentials, under the guise of shipping a prize.

Indicators of Compromise (IOCs)

The investigation highlighted specific patterns in the sender addresses.

These addresses often use random alphanumeric strings attached to the Firebase domain. Observed sender examples include:

• noreply@pr01-1f199.firebaseapp[.]com
• noreply@pro04-4a08a.firebaseapp[.]com
• noreply@zamkksdjauys.firebaseapp[.]com

Once a user clicks the call-to-action button in the email, they are redirected through various URL shorteners or compromised sites to the final phishing page. Malicious redirect chains have been observed using URLs such as:

• hxxps[:]//rebrand[.]ly/auj0ngh
• hxxp[:]//clouud.thebatata[.]org/click[.]php?
• hxxps[:]//www.servercrowdmanage[.]com/5N98X9F/21NRJNSZ/

This campaign demonstrates how attackers are “living off the land” by using trusted services to hide malicious activity.

Security teams are advised to closely monitor traffic from firebaseapp.com subdomains that do not align with known business applications.

Users should remain vigilant against unsolicited emails demanding urgent action, even if the technical sender address appears to be hosted on a legitimate platform.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Cybercriminals Use Firebase Developer Accounts to Distribute Phishing Emails appeared first on Cyber Security News.