Security Intelligence
Loading table of contents...
Loading table of contents...
Security researchers have identified a sophisticated phishing campaign in which attackers exploit Google's infrastructure to distribute deceptive emails that appear legitimate.
These emails, seemingly sent from "no-reply@google.com," are authenticated with valid DomainKeys Identified Mail (DKIM) signatures, allowing them to bypass standard security filters and reach users' inboxes without raising suspicion.
The messages typically inform recipients of a supposed subpoena from law enforcement, urging them to review case materials via a link to a Google Sites page. Upon clicking the provided link, users are directed to a counterfeit Google support page hosted on Google Sites. This page closely mimics the appearance of legitimate Google interfaces and includes options like "upload additional documents" or "view case."
However, interacting with these elements leads to a fake Google Accounts sign-in page, also hosted on Google Sites, where any credentials entered are harvested by the attackers.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The attackers employ a DKIM replay technique to enhance the credibility of their phishing emails. They create a Google OAuth application with a name field containing the entire phishing message. When Google sends a security alert about this new app to the associated account, the email is signed with Google's DKIM signature. The attackers then forward this signed email through services like Jellyfish SMTP and Namecheap's PrivateEmail, preserving the DKIM signature.
As a result, the email passes all authentication checks (SPF, DKIM, and DMARC) and appears legitimate to the recipient.
Source: The Hacker News
Analysis
This phishing campaign stands out due to its use of legitimate Google infrastructure to deliver malicious emails that are nearly impossible to distinguish from real communications.
While there have been past cases of threat actors leveraging Google services like Docs, Drive, or Calendar to distribute malicious content or phishing links, these incidents typically exploited user trust in Google's brand rather than its email authentication systems.
As such, this current campaign marks one of the first publicly documented instances where threat actors have deliberately used Google to generate a DKIM-signed email and then repurposed that email in a phishing attack—representing a new level of sophistication in exploiting cloud provider infrastructure.
In terms of complexity and potential impact, this campaign is on par with the most advanced phishing-as-a-service (PhaaS) tools available on the market today. Many modern PhaaS platforms now offer high-quality phishing pages, evasion techniques, and even CAPTCHA or geofencing tools to avoid detection.
However, while PhaaS kits usually rely on domains designed to mimic trusted brands, this campaign uses actual Google domains and signatures, elevating the level of perceived authenticity far beyond typical phishing tactics.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for phishing related activity. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these threats.
Field Effect MDR users are automatically notified if threat related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
