All postsOne of the most difficult aspects of testing phishing samples is getting those malicious links past basic email security protections. Primarily this is due to the reputation of the domain, the landing page host IP and the email address itself.
Accumulating enough reputation for both the domain and the email address to be considered trusted is tough, especially within a quarterly testing schedule, and sending links that lead to fake login pages is the best way to nose-dive that already sketchy reputation into oblivion.
But what if there was a way to hijack an already known and trusted platform for our own nefarious purposes?
Using Google Translate to Look Legit
Google-translate is the most used translation tool globally and is run by one of the largest companies in the world. They offer a feature that allows anyone to translate an entire URL in up to 130 languages, which then generates a new URL featuring the ‘translate.goog’ extension.
This begs the question, supposing a malicious link was put through this service, how would that affect its reputation, now that it’s been ‘processed’ by Google?
The exploit has been used by hackers as far back as 2019. Although we were made aware of it after Kaspersky published a blog post talking about the technique.
On the surface, this seems like something that allows hackers to bypass any email security solution with ease. However during our tests, we didn’t see a significant increase in samples reaching the victims’ inbox when compared to standard phishing emails.
It does mean that you can’t instinctively trust URLs with ‘translate.goog’ in them, but the best practice always stays the same – you shouldn’t instinctively trust any URLs that reach your inbox, despite who has sent them.
Always Check the Sender
It’s an interesting concept, but I don’t think it has shaken the email security world as we know it. The technique is still used in 2025, but we haven’t seen a significant loss for businesses due to it. In fact, in our recent email tests on Cisco Secure Email Threat Defense and Coro Email and Cloud Security, both identified the threat.
Multi-national businesses should be especially wary, as they are likely to encounter Google-translated URLs. But as mentioned above, always check the sender, and hover over that link to see the full picture; the sender’s actual domain will be visible within. As with all exploits, the concept will continue to be developed by hackers who are looking for new ways to bypass security systems. Hijacking the reputation of a trusted domain is something that’s always going to be beneficial for them.
For example, we’ve recently seen a similar technique that uses email forwarding to hijack Google’s very own DKIM signatures, using Google’s own reputation against people.
Building a good reputation takes a long time and requires you to create a digital footprint. For hackers, they want their attacking domains to be active for as short a time as possible, to minimise the chances of getting caught.
