Phishing emails are getting smarter and more dangerous. A new campaign uses Google services to fool users into sharing their credentials. These emails appear real, with valid signatures and no alerts from Gmail.
According to a report, attackers sent fake messages from the address no-reply@google.com. These emails passed all security checks, including SPF, DKIM, and DMARC. Therefore, Gmail showed them as trusted, adding them to ongoing security conversations.
The messages claimed to be legal notices. Victims were told to review a subpoena by clicking a sites.google.com link. That link led to a fake Google Support page, which included buttons to “view the case” or “upload documents.”
Fake Pages, Real Danger
Clicking either button took the user to a fake Google login page. However, this page was hosted on Google Sites, a platform that allows custom scripts. That made it easy for attackers to build pages that look legitimate.
Researchers noted that Google Sites has no built-in abuse reporting. This allowed phishing pages to stay up longer. When one page is taken down, attackers quickly upload a new one.
The emails also showed a “Signed by” tag from accounts.google.com, while being “Mailed by” a different domain. This trick added to the illusion of authenticity.
How the Attack Works Behind the Scenes
This attack method is known as a DKIM replay attack. First, the attacker creates a Google account and sets up an OAuth app. The app’s name includes the entire phishing message.
When the app is granted access, Google sends a real security alert to the account. The attacker then forwards this valid email from another service like Outlook, keeping the DKIM signature intact.
The message passes through a mail relay system and lands in the victim’s inbox. Because Gmail sees it as coming from “me,” users are less likely to notice anything suspicious.
Evolving Tactics and New File Tricks
Phishing groups are constantly updating their methods. For example, they now use SVG attachments to hide harmful code. When opened, these attachments redirect users to fake Microsoft or Google login pages.
A recent report counted over 4,100 phishing emails using SVG files in early 2025 alone. Attackers also use text obfuscation and script embedding to bypass filters.
How to Stay Protected from Phishing Emails
To protect against phishing emails, users should take the following steps:
- Always verify the sender’s address, even if the message looks official.
- Avoid clicking on unexpected links or attachments.
- Use two-factor authentication or passkeys to secure accounts.
- Report suspicious emails, even from trusted domains.
- Keep security software updated and active.
Therefore, being cautious and using layered protection is key to avoiding these deceptive threats.
Sleep well, we got you covered.
