Cybercriminals are now using Google’s tools to send out phishing emails that look so real, even experts are getting fooled. These emails appear to come from official-looking emails such as “no-reply@google.com” and warn of an urgent court summons related to a police investigation involving the recipient’s Google account.
The attackers are using Google Sites, a legitimate web-building platform, to create fake support portals and phishing pages. The phishing email looks like an official legal notice and links to what seems like a Google page, but directs users to a malicious site on sites.google.com.
Security firm EasyDMARC explains that the scam cleverly bypasses DKIM authentication, which is usually a red flag for email forgery. The trick? Scammers simply insert the full body of the phishing message as the name of a fake app on Google Sites. Google then automatically sends an email from its servers, making it appear legitimate and letting it pass security checks like DKIM.
Google’s Gmail Security Communications spokesperson, Ross Richendrfer, acknowledged the attack vector, stating:
We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.
The scam has already reached major figures, including Ethereum Name Service developer Nick Johnson, who flagged the issue as a security bug. Google at first responded that the behavior was “working as intended,” but after public backlash, the company began working on a fix to close the loophole.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.