ThreatActors Leverage Google Classroom to Target 13,500 Organizations

Google Classroom, a popular educational platform, has been exploited by threat actors to launch a major phishing campaign in a complex operation discovered by Check Point researchers.

Over a single week from August 6 to August 12, 2025, attackers disseminated more than 115,000 malicious emails across five coordinated waves, targeting approximately 13,500 organizations globally.

These entities span diverse sectors including education, finance, healthcare, and manufacturing, with heavy concentrations in Europe, North America, the Middle East, and Asia.

Unprecedented Phishing Campaign

The campaign’s success hinges on exploiting the inherent trust associated with Google Classroom’s infrastructure, which facilitates seamless communication between educators and students through invitation-based mechanisms.

By masquerading as legitimate classroom join requests, the phishing emails evaded initial detection by many email security gateways, leveraging the platform’s reputation to bypass traditional filters such as SPF, DKIM, and DMARC validations that might otherwise flag spoofed origins.