Group-IB discovered a large-scale phishing operation dubbed GTFire that chains two Google services to bypass email security filters entirely. The attack flow: victims receive an email containing a translate.goog link (Google Translate proxy), which relays the request through Google's infrastructure. Since the link belongs to a trusted Google domain, email security gateways and web filters rarely intercept it.
The victim lands on a Firebase-hosted phishing page (*.web.app subdomain) that dynamically loads brand-specific logos and login fields. Attackers rotate Firebase subdomains frequently to outpace blocklists. Stolen credentials are exfiltrated via simple HTTP GET requests to LiteSpeed-based C2 servers running commercial "All-in-1" PHP phishing scripts.
The scale is significant: 1,000+ organisations across 100+ countries and 200+ industries have been victimised. Mexico, the United States, Spain, India, and Argentina are the most affected. Organisations should consider blocking translate.goog redirects to unknown Firebase subdomains at the proxy level and enforcing DMARC beyond monitoring-only across all sending domains.