In what has been described as an “extremely sophisticated phishing attack,” threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google’s infrastructure and redirect message recipients to fraudulent sites that harvest their credentials.
“The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com,” Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X.
“It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”
The email message informs prospective targets of a subpoena from a law enforcement authority asking for unspecified content present in their Google Account and urges them to click on a sites.google[.]com URL in order to “examine the case materials or take measures to submit a protest.”
The Google Sites URL displays a lookalike page that impersonates the legitimate Google Support page, and includes buttons to “upload additional documents” or “view case.” Clicking on either of the options takes the victim to a replica Google Account sign-in page, the only difference being that it’s hosted on Google Sites.
“sites.google.com is a legacy product from before Google got serious about security; it allows users to host content on a google.com subdomain, and crucially it supports arbitrary scripts and embeds,” Johnson said.
“Obviously this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google’s abuse team. It helps the attackers that there’s no way to report abuse from the Sites interface, too.”
A clever aspect of the attack is the fact that the email message has the “Signed by” header set to “accounts.google[.]com” despite it having a “Mailed by” header with a completely unrelated domain (“fwd-04-1.fwd.privateemail[.]com”).
The malicious activity has been characterized as a DKIM replay attack, where the attacker first creates a Google Account for a newly created domain (“me@“) and then a Google OAuth application with the name that includes the entire content of the phishing message.
“Now they grant their OAuth app access to their ‘me@…’ Google account,” Johnson said. “This generates a ‘Security Alert’ message from Google, sent to their ‘me@…’ email address. Since Google generated the email, it’s signed with a valid DKIM key and passes all the checks.”
The attacker then proceeds to forward the same message from an Outlook account, keeping the DKIM signature intact, and causing the message to bypass email security filters, according to EasyDMARC. The message is subsequently relayed through a custom Simple Mail Transfer Protocol (SMTP) service called Jellyfish and received by Namecheap’s PrivateEmail infrastructure that facilitates mail forwarding to the targeted Gmail account.
“At this point, the email reaches the victim’s inbox looking like a valid message from Google, and all authentication checks show as passing SPF, DKIM, and DMARC,” EasyDMARC CEO Gerasim Hovhannisyan said.
“Because they named their Google account ‘me@’, GMail shows the message was sent to ‘me’ at the top, which is the shorthand it uses when a message is addressed to your email address – avoiding another indication that might send up red flags,” Johnson pointed out.
When reached for comment, Google told The Hacker News that it has rolled out fixes to stop the abuse pathway and emphasized that the company neither asks for account credentials, such as passwords or one-time passwords, nor directly calls users.
“We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse,” a Google spokesperson said. “In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
The disclosure comes nearly nine months after Guardio Labs revealed a now-patched misconfiguration in email security vendor Proofpoint’s defenses that threat actors exploited to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, and bypass authentication measures.
It also coincides with a surge in phishing campaigns that make use of attachments in Scalable Vector Graphics (SVG) format to trigger the execution of HTML code that, in turn, redirects users to a rogue Microsoft login form or a fake web page masquerading as Google Voice to entice them into entering their credentials.
Russian cybersecurity company Kaspersky said it has observed over 4,100 phishing emails with SVG attachments since the start of 2025.
“Phishers are relentlessly exploring new techniques to circumvent detection,” Kaspersky said. “They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers.”