New Gmail Threats Targeting Business Users in 2025: How to Stay Safe

Most business owners think of phishing as obvious: a poorly worded email from a fake bank asking you to click a suspicious link. That picture is increasingly outdated. The attacks targeting Gmail business users in 2025 are more sophisticated, harder to spot, and more targeted than what came before. If your business uses Gmail - whether through Google Workspace or personal accounts for business purposes - here is what you need to know.

OAuth Phishing: The Attack That Bypasses Your Password

One of the most effective attacks targeting Gmail users in 2025 does not steal your password at all. OAuth phishing - sometimes called consent phishing - tricks you into granting a malicious third-party application access to your Google account.

Here is how it works: you receive what looks like a legitimate email inviting you to access a shared document, a calendar invite, or a collaboration tool. The link takes you to a real Google sign-in page - not a fake one. You sign in with your actual Google credentials. Then Google presents an OAuth consent screen asking whether you want to grant “Document Viewer Pro” or “Calendar Sync Plus” (or whatever the malicious app is named) access to your Gmail, Drive, and Contacts.

If you click Allow, the attacker’s application now has persistent access to your Google account - even if you later change your password. The access token remains valid until you explicitly revoke it. The attacker can read your emails, exfiltrate files from Drive, and use your account as a base for further attacks - without needing your password at any point.

How to protect against OAuth phishing:

• Be deeply sceptical of any email prompting you to authorise an application you have not specifically sought out.
• Regularly audit third-party app access: Google Account > Security > Third-party apps with account access. Remove anything you do not recognise or no longer use.
• In Google Workspace, administrators can restrict which third-party OAuth apps users are permitted to authorise. This is a strong control - only pre-approved apps should be allowed.

AI-Generated Spear Phishing

Spear phishing - targeted attacks that use personal details to appear convincing - has historically been labour-intensive for attackers. Researching a target, writing a convincing email, and personalising it at scale was time-consuming. AI has changed this.

Attackers now use AI tools to scrape publicly available information about individuals and businesses (LinkedIn profiles, company websites, news coverage, social media) and generate highly personalised, grammatically flawless phishing emails at scale. The resulting emails reference real projects, real relationships, real business context. They are indistinguishable from legitimate communications without careful scrutiny.

Common patterns seen in 2025:

• An email appearing to come from your accountant referencing an actual client project, asking you to review an attached invoice before a filing deadline
• A message seemingly from a key supplier noting a change to their banking details, referencing your real trading history
• An “update” from a government body you actually deal with (ATO, ASIC) containing a link to a convincingly cloned portal

How to protect against spear phishing:

• Verify unexpected requests via a separate channel. If an email asks you to pay money, change banking details, or share credentials, call the sender directly using a number you have independently verified - not the number in the email.
• Enable Google Workspace’s enhanced pre-delivery message scanning (Google Workspace Admin > Gmail > Safety settings).
• Provide staff with regular phishing awareness training, including examples of convincing spear phishing. The days of “look for bad grammar” as a detection heuristic are over.

Account Takeover via Credential Stuffing

Credential stuffing attacks use large databases of username/password combinations leaked from previous data breaches. Attackers run automated tools that attempt these combinations against Gmail, Google Workspace, and thousands of other services.

If anyone in your business reuses passwords - and most people do, despite knowing they should not - there is a meaningful chance that their Gmail password has already appeared in a data breach. Tools like Have I Been Pwned let individuals check whether their email has been compromised.

Once an attacker gains access to a Gmail account, they typically:

1. Set up forwarding rules to a separate address so they can continue reading emails even after the victim changes their password
2. Conduct reconnaissance to understand who the victim communicates with and what financial or operational access their account enables
3. Use the compromised account to send targeted attacks to the victim’s contacts, who trust communications from the known address

How to protect against credential stuffing:

• Enforce multi-factor authentication for all Google Workspace accounts. This is the single most effective control.
• Require strong, unique passwords. A password manager makes this practical for staff.
• Enable login notifications in Google Workspace so administrators and users are alerted to sign-ins from new devices or locations.
• Review forwarding rules periodically: Gmail Settings > See all settings > Forwarding and POP/IMAP.

Session Hijacking via Malicious Browser Extensions

A growing attack vector in 2025 involves malicious browser extensions that steal session cookies - the tokens your browser uses to keep you logged into Gmail without requiring you to re-enter your password.

An attacker with your session cookie can access your Gmail as you, bypassing multi-factor authentication entirely, because as far as Google is concerned, they are using your already-authenticated session. This type of attack is called a pass-the-cookie attack.

Malicious extensions are distributed through unofficial extension stores, and occasionally through the Chrome Web Store itself before Google removes them. They are also distributed via phishing emails promising useful tools.

How to protect against session hijacking via extensions:

• Restrict which browser extensions staff can install. In Google Workspace with Chrome management, this can be enforced via policy.
• Review installed extensions regularly and remove anything unfamiliar or unused.
• Google’s Context-Aware Access feature (available on Google Workspace Enterprise and some Business Plus configurations) can require re-authentication for sensitive operations, limiting the window of exposure.

Practical Steps for Australian Businesses Right Now

Whether you use Gmail for personal accounts or run your business on Google Workspace, these steps materially reduce your risk:

1. Enable 2-step verification for every Google account used in your business. Use an authenticator app, not just SMS.
2. Audit third-party app access and remove anything not actively used.
3. Check forwarding rules in Gmail settings for all business accounts.
4. Review browser extensions installed across staff devices.
5. Train staff on current phishing patterns - include realistic examples, not just obvious fake emails.
6. Implement a callback verification policy for any email requesting payment, credential changes, or sensitive actions.

If you are running a Google Workspace environment and want help tightening your security configuration, or if you have had a security incident and need assistance, contact CX IT Services. We work with Melbourne businesses to close the gaps before attackers find them.