Ethical Hacking News
Phishers have developed an extremely sophisticated method of exploiting Google's infrastructure to send phishing emails that bypass traditional email security measures. This attack utilizes Google Sites as a lookalike page, making it challenging for victims to distinguish between legitimate and malicious messages.
Threat actors are using Google Sites to create lookalike pages that impersonate legitimate Google Support pages, bypassing traditional email security measures. The attack utilizes a DKIM replay attack, where the attacker creates a fake Google Account and generates a valid DKIM signature. The phishing email is forwarded through custom SMTP services to reach the victim's inbox, appearing as a legitimate message from Google. Google has rolled out fixes to stop the abuse pathway and encourages users to adopt two-factor authentication and passkeys for strong protection against phishing campaigns.
In a recent revelation, threat actors have been found to be utilizing an uncommon approach to send phishing emails that bypass traditional email security measures and exploit the vulnerabilities of Google's infrastructure. The attack, described as "extremely sophisticated," utilizes Google Sites, a legacy product from before Google became serious about security, to create a lookalike page that impersonates the legitimate Google Support page.
According to Nick Johnson, the lead developer of the Ethereum Name Service (ENS), this is a valid, signed email that passes the DKIM signature check and displays like a legitimate message from Google, with all authentication checks showing as passing SPF, DKIM, and DMARC. The email message informs prospective targets of a subpoena from a law enforcement authority asking for unspecified content present in their Google Account and urges them to click on a sites.google[.]com URL in order to "examine the case materials or take measures to submit a protest."
When victims click on the provided link, they are redirected to a replica Google Account sign-in page hosted on Google Sites. This aspect of the attack is cleverly executed, as the email message has the "Signed by" header set to "accounts.google[.]com," despite it having a "Mailed by" header with a completely unrelated domain.
The malicious activity has been characterized as a DKIM replay attack, where the attacker first creates a Google Account for a newly created domain ("me@") and then a Google OAuth application with the name that includes the entire content of the phishing message. This generates a "Security Alert" message from Google, sent to their "me@..." email address, which is signed with a valid DKIM key and passes all the checks.
The attacker then proceeds to forward the same message from an Outlook account, keeping the DKIM signature intact, and causing the message to bypass email security filters. This message is subsequently relayed through a custom Simple Mail Transfer Protocol (SMTP) service called Jellyfish and received by Namecheap's PrivateEmail infrastructure that facilitates mail forwarding to the targeted Gmail account.
When this email reaches the victim's inbox, it appears as a valid message from Google, with all authentication checks showing as passing SPF, DKIM, and DMARC. The clever aspect of this attack is the way in which attackers use user redirection and text obfuscation to make their phishing campaigns more difficult to detect.
Russian cybersecurity company Kaspersky has observed over 4,100 phishing emails with SVG attachments since the start of 2025. Phishers are relentlessly exploring new techniques to circumvent detection, varying their tactics sometimes employing user redirection and other times experimenting with different attachment formats. The use of SVG attachments provides attackers with the capability to embed HTML and JavaScript code within images, which is misused by attackers.
In response to this attack, Google has rolled out fixes to stop the abuse pathway, emphasizing that it neither asks for account credentials such as passwords or one-time passwords nor directly calls users. It also encourages users to adopt two-factor authentication and passkeys, providing strong protection against phishing campaigns like this one.
The revelation of this attack comes nearly nine months after Guardio Labs revealed a now-patched misconfiguration in email security vendor Proofpoint's defenses that threat actors exploited to send millions of messages spoofing various popular companies. This highlights the importance of vigilance and regular software updates in preventing attacks such as this from succeeding.
As cybersecurity threats continue to evolve, it is crucial for individuals and organizations alike to remain vigilant and take proactive steps to protect themselves against phishing campaigns like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/Phishers-Utilize-Google-Sites-as-an-Unconventional-Route-for-Credential-Theft-A-Sophisticated-Phishing-Attack-ehn.shtml
https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html
https://cyberinsider.com/google-exploit-bypasses-dkim-protections-to-deliver-realistic-alerts/
Published: Tue Apr 22 07:30:32 2025 by llama3.2 3B Q4_K_M
