A recently uncovered Gmail vulnerability enabled hackers to send misdirected emails that looked like they came straight from “no-reply@google.com”. The perpetrators were able to bypass Google’s internal security filters. The attack was discovered by Nick Johnson, the lead developer of Ethereum Name Service (ENS).
This incident provides complete technical details about how Google’s infrastructure can be abused to fuel sophisticated phishing attacks.
The Gmail phishing attack came in emails that passed DomainKeys Identified Mail (DKIM) authentication, and as such, they looked legitimate. “These emails are valid, signed, and display no warnings in Gmail,” Johnson said. “They even get pulled through in the same thread as real alerts from Google, which makes it all the more believable and risky.”
Victims received fake emails with security alerts saying they had received and were involved in a legal subpoena. The emails direct users to a Google Sites page pretending to be a support portal. Then, the users are taken to a nearly exact duplicate of the Google login page to harvest credentials. “The only hint it’s a phishing attack is that it’s hosted on 'sites.google.com' instead of 'accounts.google.com,' Johnson said.
The most troubling aspect of this attack is that it relies on Google’s infrastructure (e.g., Gmail, Google Sites) to build credibility. The phishing emails passed all authentication checks, which allowed them to circumvent many of Gmail’s anti-spam measures. The concern goes beyond this use of known legitimate platforms, which can be turned against users and make detection all the more difficult.
Google has announced the incident and taken action. “We're aware of this class of targeted attack… and have rolled out protections,” said a spokesperson for the company. Google also reiterated that it will never ask for credentials via email and encouraged users to implement two-factor authentication and passkeys for improved security.
Cyber professionals have warned that users who do not use passkeys or two-factor authentication have an even higher risk of being targeted. “These scams are designed to look as real as possible,” Johnson emphasized. The general advice provided to users includes looking for red flags like openers that avoid using your name, grabs for urgency, and some suspicious links. One should always open any links manually in a new browser window to verify that they are legitimate.
This vulnerability with Gmail illustrates the fact that even trusted platforms can be vulnerable when the wrong person is involved. The case brings the necessity for vigilance, secure practices for authentication, and public education to the forefront.
As phishing techniques become more advanced, it is up to the user to be informed to spot the signs, even the subtle ones, and learn how to look for traps. Especially if there are compromised message systems that look exactly like they are coming from Google itself.