Google has issued an urgent warning to its 3 billion Gmail users about a new, sophisticated phishing scam. Cybercriminals have discovered a method to send fake emails that appear to originate from Google’s servers. These emails easily pass security measures such as DKIM authentication, appearing authentic even to experienced users.
The attackers took advantage of a vulnerability in Google’s OAuth system, allowing them to send convincing emails that led victims to a fake “support portal”.
The fake webpage then requests Google account information. Although the emails appear to be from “no-reply@google.com,” the true sender is different, making the scam difficult to spot.
The fact that the hackers have used Google’s own infrastructure to bypass Gmail’s security measures and redirect users to websites designed to collect credentials makes the attack a serious threat. Security experts have described this as an “extremely sophisticated phishing attack” using an uncommon approach that has proven effective.
Lead Ethereum Name Service (ENS) developer Nick Johnson disclosed that he had been the victim of a highly skilled cybercrime. The attackers exploited a flaw in Google’s infrastructure, enabling them to send emails that appeared to come directly from Google’s official domains.
Inside the OAuth-Powered DKIM Exploit That Outsmarted Google’s Email Filters
A security warning informed Johnson that a subpoena had been issued by a law enforcement agency seeking the details of his Google account. The scammers even paired the email with real Google security notifications, which made it appear quite authentic. The message urged recipients to review case materials or submit a protest via a link to a sites.google[.]com page.
Johnson said in a series of X posts:
The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts. Obviously, this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google’s abuse team. It helps the attackers that there’s no way to report abuse from the Sites interface, too.
The fake portal was an exact clone of the real login page. Johnson warned: “The only giveaway is that the URL reads sites.google.com rather than accounts.google.com.” Its goal? Harvest your credentials.
However, the true brilliance was in how the email passed through Google’s security measures. This scam uses a DKIM replay phishing attack.
- Domain Setup: The attacker registers a new domain (for example, me@your-domain.com) in Google.
- Account Creation: They create a Google Account under that domain.
- OAuth Trick: They register an OAuth app whose name replicates the phishing message itself.
- Message Signing: Google’s servers legitimately sign and send the email, so it passes DKIM checks.
An attacker created a Google OAuth app, naming it after the entire phishing message. To deceive recipients, the message included excessive whitespace, making it appear complete and separating it from Google’s own notification about access to the attacker’s me@domain email address.
To further evade detection, the attacker forwarded the phishing email from an Outlook account while preserving the DKIM (DomainKeys Identified Mail) signature. According to EasyDMARC, this allowed the message to bypass common email security filters.
Following that, the email was sent to Namecheap’s PrivateEmail infrastructure, which sent it to the appropriate Gmail account via a customised Simple Mail Transfer Protocol (SMTP) service named Jellyfish.
After the attacker granted their OAuth app access to their own email address in Google Workspace, Google sent a security alert to that inbox. Johnson explains that the warning passed all authentication tests because Google created it and authenticated it with a legitimate DKIM key.
The attacker’s final move was to forward the legitimate-looking security alert to victims. The underlying flaw in Google’s system stems from DKIM only validating the message body and headers, not the email envelope. As a result, the spoofed email passed verification and appeared trustworthy in recipients’ inboxes.
Google confirmed that it is aware of the phishing scheme, which creatively takes use of OAuth and DKIM technologies. The company claimed that it is developing countermeasures and anticipates deploying a complete solution shortly.
Security experts recommend users to switch to two-factor authentication, use passkeys wherever feasible, and be on the lookout for emails requesting login information or account verification, even if they appear to be from reliable sources. Phishing strategies have evolved from simple credential theft to sophisticated misuse of trusted authorisation systems like OAuth 2.0, which is concerning.
Phishing attacks are on the rise, and it is crucial to protect your organisation. One effective method is to increase user awareness about these types of attacks. Phishing Tackle is an excellent resource that can assist you in this regard. We offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.
