A New Wave of Phishing Attacks

In a groundbreaking and alarming phishing scheme, cybercriminals have discovered a way to utilize Google's own infrastructure to send authentic-looking signed emails. This approach is not just cunning; it's been described as "extremely sophisticated," targeting unsuspecting users to harvest their login credentials.

The Deceptive Email Tactic

According to Nick Johnson, the lead developer at Ethereum Name Service (ENS), the emails in question seem completely legitimate, originating from [email protected]. They successfully pass DKIM signature checks and evade Gmail's warning systems, appearing alongside genuine security alerts in inboxes.

The phishing message attempts to panic recipients, claiming that they need to respond to a law enforcement subpoena regarding their Google Account. It encourages users to click a link to 'view case materials' on a sites.google.com URL, leading victims directly into a trap.

A Frighteningly Realistic Fake Page

Victims are directed to a Google Sites page that mimics the authentic Google Support portal, complete with options to upload documents or check the case details. However, once clicked, users are redirected to a fake Google sign-in page designed to steal their details.

Exploiting Google Sites: A Flaw Uncovered

Johnson explains that Google Sites, an older product that allowed users to host content on a google.com subdomain, has inherent weaknesses. It supports arbitrary scripts and embeds, making it straightforward for attackers to create credential-harvesting sites. Despite Google's efforts, the lack of effective reporting mechanisms from within Google Sites aids in the attackers' persistence.

The Crafty DKIM Replay Attack

A sinister twist lies in the structure of the email headers. Although marked as "Signed by" accounts.google.com, it also carries a "Mailed by" header from a completely different domain. This rogue operation is a classic DKIM replay attack, where attackers set up a Google account linked to a fabricated domain, generating an email that appears authentically Google.

How This Scheme Evades Detection

The attackers forward their message through an Outlook account while preserving the DKIM signature. This makes it glide past spam filters, ultimately landing in the inbox of a targeted Gmail user, with all signs pointing to it being a trustworthy email from Google.

Google's Response: Stay Vigilant

When questioned, Google confirmed it has introduced enhancements to obstruct this fraudulent pathway, stressing that they never request sensitive credentials through email. They strongly advise users to implement two-factor authentication and secure passkeys to bolster defenses against such phishing tactics.

The Rise of SVG Attachment Phishing

This alarming news arrives just months after another significant vulnerability in email security was disclosed. A recent spike in phishing attacks using SVG attachments has also been noted, allowing attackers to redirect users to fake login pages imitating prominent services like Microsoft and Google.

Kaspersky has reported a startling 4,100 phishing emails containing SVG attachments since the beginning of 2025, reflecting an unsettling trend in the realm of cybercrime. Users are urged to remain cautious and stay informed to navigate this evolving threat landscape.