Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide.
Over the course of just one week, attackers launched five coordinated waves, distributing more than 115 000 phishing emails aimed at 13 500 organisations across multiple industries. Thus far, organisations in Europe, North America, the Middle East, and Asia are being targeted.
According to Check Point’s July 2025 Top Malware Report, the education sector was the most targeted globally, averaging 4 210 weekly attacks per organisation (+24% YoY). In comparison, a South African education organisation has been attacked on average 2 225 times per week in the last six months.
Google Classroom is designed to connect teachers and students through invitations to join digital classrooms. Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers ranging from product reselling pitches to SEO services.
Each email directed recipients to contact scammers via a WhatsApp phone number – a tactic often linked to fraud schemes.
The deception works because security systems tend to trust messages originating from legitimate Google services. By piggybacking on Google Classroom’s infrastructure, attackers were able to bypass certain traditional security layers attempting to reach inboxes at more than 13 500 companies before defences were triggered.
Anatomy of the campaign:
- Scale: 115 000 phishing emails sent between August 6 and 12, 2025.
- Targets: 13 500 organisations worldwide, spanning multiple sectors.
- Lure: Fake Google Classroom invitations with offers unrelated to education.
- Call to action: A WhatsApp phone number, designed to move the conversation off-email and outside enterprise monitoring.
- Delivery method: Five major waves, each leveraging Google Classroom’s legitimacy to slip past filters.
How Check Point blocked the attack:
Despite the attackers’ sophisticated use of trusted infrastructure, Check Point Harmony Email & Collaboration’s SmartPhish technology automatically detected and blocked the majority of these phishing attempts. Additional layers of security prevented the remaining messages from reaching end users.
“This incident underscores the importance of multi-layered defences,” says Shayimamba Conco, security evangelist for Check Point Software Technologies. “Attackers are increasingly weaponising legitimate cloud services – making traditional email gateways insufficient to stop evolving phishing tactics.”