What is described as a “very sophisticated phishing attack,” threat actors have leveraged an unusual approach that allows them to send fake emails through Google’s infrastructure and redirect message recipients to fraudulent sites that collect qualifications.
“The first thing to note is that this is a valid and signed email. It really came from no-reply@google.com,” said Nick Johnson, lead developer at Ethereum Name Service (ENS), in a series of X’s posts.
“You pass the DKIM signature check and Gmail will appear without warning. You will even post it in the same conversation as other legitimate security alerts.”
Email messages will notify you of future targets of law enforcement subpoena seeking unspecified content that exists in your Google account and encourage you to click on the site.[.]A com url to “examine case materials or take steps to submit a protest.”
The Google Sites URL will display a visually-like page that impersonates a legitimate Google Support page and includes a button that includes “Upload additional documents” or “Viewcase.” Click on any of the options and the victim will be on the Replica Google Account Sign-in page. The only difference is that it is hosted on Google sites.
“sites.google.com is a legacy product before Google took security seriously. It allows users to host content in Google.com subdomains and, importantly, supports any scripting and embedding,” Johnson said.
“Obviously this makes building a qualification harvesting site trivial. They need to prepare to upload new versions so that older versions are defeated by Google’s abuse team. They help attackers have no way of reporting abuse through the site interface.”
A clever aspect of the attack is the fact that the email message has a “signed” header set in “accounts.google”.[.]com “Even though I have a “mail” header (“fwd-04-1.fwd.privateemail with a completely unrelated domain”[.]com “).
Malicious activity is characterized as a DKIM replay attack in which the attacker first creates a Google account for the newly created domain (“me@”), then creates a Google OAuth application with the name that contains the entire content of the phishing message.
“Now they’re giving OAuth app access to their ‘me@…’ Google account,” Johnson said. “This will generate a ‘Security Alert’ message from Google and send it to your email address “Me@…”. Google generated an email so it will be signed with a valid DKIM key and pass all checks. ”
The attacker will proceed to forward the same message from Outlook account to keep DKIM signatures intact and bypass the email security filters, according to EasedMarc. Messages are then relayed through a custom simple email transfer protocol (SMTP) service called Jellyfish, which makes it easier for Namecheap’s private email infrastructure to forward emails to targeted Gmail accounts.
“At this point, the email has arrived in the victim’s inbox, which appears to be a valid message from Google, indicating that all authentication checks have passed SPF, DKIM and DMARC,” said Gerasim Hovhannisyan, CEO of EasedMarc.
“They named Google Account ‘me@’, so Gmail indicates that the message was sent to ‘Me’ at the top. This is the shorthand used when a message is addressed to your email address. Avoid other signs that you might send a red flag,” Johnson pointed out.
When it reached the comment, Google told Hacker News that a fix was deployed to stop the abuse route, emphasizing that it would not ask for account credentials such as a password or a one-time password, or call users directly.
“We know of this class of targeted attacks from this threat actor and are deploying protections to close this path due to abuse,” a Google spokesperson said. “In the meantime, users are encouraging them to adopt two-factor authentication and PassKeys, which provides strong protection against these types of phishing campaigns.”
The disclosure comes nine months after Guardio Labs unveiled the misconceptions currently being patched to the defense of email security vendor Proofpoint, and became available to send millions of messages that evoke a variety of popular companies, including Best Buy, IBM, Nike, Walt Disney, and bypass authentication measures.
It also triggers the execution of HTML code, consistent with a surge in phishing campaigns using attachments in Scalable Vector Graphics (SVG) format.
Russian cybersecurity company Kaspersky said it has observed over 4,100 phishing emails, including SVG attachments, since its launch in 2025.
“The Fishers are relentlessly exploring new techniques to avoid detection,” Kaspersky said. “They change their tactics, sometimes employ user redirection and text obfuscation, and experiment with different attachment formats in other cases. The SVG format provides the ability to embed HTML and JavaScript code in images that attackers misuse.”
Source link
