Phishers use Google infrastructure and DKIM replay to send emails

A sophisticated phishing campaign is exploiting Google's own systems to bypass security checks and steal user credentials.

What happened

Researchers have uncovered a phishing campaign that uses a combination of Google Sites, DKIM replay, and email redirection to send fake but fully authenticated emails that appear to come directly from Google. Victims receive an email, seemingly from no-reply@google.com, warning of a subpoena. It passes all security checks (SPF, DKIM, DMARC) and links to a spoofed Google Support page hosted on Google Sites. From there, users are led to a replica sign-in page designed to steal their credentials.

Going deeper

The technique involves a DKIM replay attack. The attackers create a legitimate Google account and an OAuth app, triggering a security alert from Google, which is then DKIM-signed. They forwarded that signed email from another account while maintaining the DKIM signature. Because Google signs the message and passes all authentication checks, it lands in the inbox with no warnings and is displayed as a legitimate alert.

The phishing page itself is hosted on the legacy sites.google.com platform, which allows arbitrary scripts and embeds, making it easy to host credential theft pages. As old versions of the phishing site get removed, attackers upload new ones, exploiting the lack of an abuse reporting feature within the Sites interface.

Google has confirmed awareness of the campaign and said it has implemented fixes to prevent further abuse. The company stated it does not request passwords or one-time passcodes via email.

What was said

Nick Johnson, lead developer of the Ethereum Name Service (ENS), was one of the first to break down the attack’s mechanics on X. EasyDMARC later provided a technical summary, explaining how the forwarding of a DKIM-signed message via custom SMTP infrastructure allowed it to pass untouched through email security systems.

Google responded by stating that it had rolled out protections and encouraged users to adopt two-factor authentication and passkeys. “We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse,” a Google spokesperson said.

The big picture

The phishing campaign demonstrates how attackers can exploit trusted infrastructure to avoid detection. DKIM-signed emails, OAuth notifications, and use of Google subdomains added credibility to the messages, reducing the chance of user skepticism or filter-based blocking. Elements of the platform’s design, such as support for custom scripting and limited abuse visibility, were also used to support the attack. Although mitigation steps have been taken, the campaign reflects a broader shift toward more precise and technically sophisticated phishing methods.

FAQs

What is a DKIM replay attack, and why is it dangerous?

A DKIM replay attack involves reusing a legitimately signed email by forwarding it while keeping its original DKIM signature intact. Since the message appears authenticated, it can slip past email security filters undetected.

Why are phishing emails hosted on Google Sites harder to detect?

Because sites.google.com uses a google.com domain, many filters and users inherently trust it. The platform’s legacy features also allow attackers to embed malicious scripts, making it easier to create convincing credential theft pages.

What is the difference between 'Mailed by' and 'Signed by' in email headers?

‘Mailed by’ shows the actual sending domain, while ‘Signed by’ refers to the domain that applied the DKIM signature. In this attack, the mismatch helped the email appear valid even though it was routed through a third-party service.

How can users verify the legitimacy of a Google security alert?

Users should not click on links directly from emails. Instead, they should log into their Google Account manually through a browser and check the “Security” section for recent alerts or activity.

What steps can organizations take to protect against similar phishing tactics?

Organizations should enforce advanced threat protection tools, use domain-based message authentication with anomaly detection, and educate users on how to identify spoofed login pages and misleading email headers.