Attackers Use Domain Fronting to Tunnel Malicious Traffic via Google Meet, YouTube and Chrome Update Servers

Attackers have discovered a way to exploit Google’s core services, Google Meet, YouTube, Chrome update servers and more using a technique called domain fronting.

By making their malicious traffic appear as legitimate connections to high-trust domains, adversaries can tunnel data through Google’s backbone infrastructure without raising suspicion.

This research builds on previous demonstrations of tunneling through web conferencing apps, showing how the same concept applies to the very fabric of the Internet.

How Domain Fronting Works

Domain fronting leverages the discrepancy between the hostname announced in the TLS handshake (via Server Name Indication, or SNI) and the hostname inside the encrypted HTTP Host header.

When a client connects, the SNI field publicly indicates a benign domain such as meet.google.com so network monitors treat it as safe.

Inside the encrypted session, however, the Host header specifies an attacker-controlled domain hosted on Google Cloud Platform.

Observers cannot see the Host header, so they cannot detect the divergence. The result is that traffic appears as normal Google usage but actually routes to an implant or command-and-control server under the adversary’s control.

Domain fronting was largely blocked by major providers between 2015 and 2024, including Google, Amazon and Microsoft.

Despite these blockades, researchers discovered an edge case in Google’s infrastructure that restores fronting capabilities.

By directing requests to Google Cloud Run functions or domains like update.googleapis.com and payments.google.com, attackers trigger backend routing to malicious endpoints while preserving a legitimate front.

Experiments showed that a simple Cloud Run “Hello World” function could be invoked when the Host header pointed to the function’s URL even though the connection ostensibly targeted google.com.

Equivalent behavior was observed for Meet, YouTube and other high-traffic Google domains.

For red teams, this technique offers a powerful new covert channel. It leverages services that organizations cannot afford to block without disrupting daily operations, and it blends seamlessly with normal traffic.

Attackers can stage implants that communicate over HTTPS via Google’s update servers or video services, making network detection exceptionally difficult.

Traditional network controls often exempt core services from deep packet inspection.

To counter domain fronting, security teams need to inspect TLS sessions at scale, correlate DNS and certificate data, and employ behavioral analytics to spot unusual traffic patterns such as persistent connections to update.googleapis.com with non-standard payloads.

This discovery underscores the ongoing cat-and-mouse game between attackers and defenders. As infrastructure frontiers expand, so do adversary opportunities to hide in plain sight.

Security architects should reevaluate default allowlists and ensure that even highly trusted domains receive appropriate scrutiny.

By adapting detection strategies to emerging fronting vectors, organizations can close the trust gap that attackers so readily exploit.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.