It seems that fraudsters managed to bypass security checks and trick Google’s servers to send Gmail users authentic looking security alert emails. The worst part is on plain reading of the email it looks legitimate and even the domain name from where the fake email was sent looks close to the real one. This fraud works on the assumption that you will not fact-check the email and in fear of legal action, you will give all access to your money and photos, etc to the fraudster. Read below to know the details of this fraud and what measures to take to save your money and Google account contents.
How does this psychological Gmail fraud work?
The image below shows what the fake email says. It says that a legal subpoena has been served by the government to Google LLC and as per this legal subpoena your entire Google account contents like photos, emails, maps data, etc needs to be submitted to the government. Do notice that the fake email does not say anything about the government taking legal action on you, rather the fake email says the government wants Google to give them your contents, data. This is the hook.
Up until this part of the email, if you took the hook then comes the baitthe bait comes. The next paragraph of the email says you need to go to an “sites.google.com” website to either examine what data will be shared with the government or protest i.e. try to stop this. In reality this supposed website is not at all a genuine Google website, it’s a phishing fraud website hosted on Google’s website domain sites.google.com, which anybody can create with basic computer knowledge. So, this fact check is the only thing which stands between you losing complete control over your financial accounts over to the fraudsters.
If you notice closely, it looks like a real email from Google and notice how the email asks you to go to “Google Support Case website” to take measures or protest. These big words are said in the email to make it look official.
https://x.com/nicksdjohnson/status/1912439023982834120
Source: nick.eth, lead developer of ENS and Ethereum Foundation alum on X (formerly Twitter)
Also, if you read this fraud email again, you will notice that there is a lot of unnecessary fake information like Google Account ID, support reference ID, etc and it says that the legal subpoena has been served on Google LLC and not directly on you. So physiologically this creates a safe assurance in your mind that the legal action is not on you but actually on Google, who in turn was ordered to hand over your data and contents to the government.
Google has acknowledged that this fraud has happened and said it has rolled out protections for this abuse of its systems and also encouraged users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing fraud campaigns, as per a TOI report.
How did this fraud email bypass Google’s Gmail protection system?
Ranjeet Bellary, Partner, EY India Forensic and Integrity Services – Cyber Forensics says that this is a common type of email scam called a DKIM replay attack. Here’s how it works in simple terms:
- Stealing a trusted email: The attacker gets hold of a real email that was signed by Google, which proves it came from a trusted source.
- Tricking the system: They send that same email again to new people. Because the email still has Google’s original security signature, most email systems think it’s safe and don’t block it.
- Setting the trap: The attacker creates a new fake Google account and a fake app in Google Cloud. When they give this fake app access to the new account, Google automatically sends a “Security Alert” email — a real one — to the attacker’s email.
- Forwarding the bait: The attacker then forwards this real Google email from another email account (like Outlook), but leaves the original Google signature untouched. This makes it look 100% legitimate to spam filters.
- Fooling the victim: The forwarded email ends up in the victim’s inbox and looks like an official message from Google. It passes all the usual security checks like SPF, DKIM, and DMARC, so it doesn’t raise any red flags.
- Phishing website: The email tells the victim there’s suspicious content in their Google account and urges them to click a link to a sites.google.com page — a real Google-owned site. But this page is fake and designed to look like an official Google support page.
- Stealing login info: When the victim clicks on buttons like “View Case” or “Upload Documents”, it takes them to another fake Google login page. If they enter their credentials, the attacker steals them.
- Why it works: Google’s “sites.google.com” lets anyone create pages, including attackers. These pages can include code that tricks people. And because everything — the email, the domain, and the site — looks real and passes all checks, even Google’s spam filters can’t tell it’s a scam.
Tarun Wig, Co- Founder and CEO, Innefu Labs, says: “The primary reason Gmail didn’t flag the phishing email lies in the exploitation of a loophole in the DomainKeys Identified Mail (DKIM) system through a technique known as a DKIM replay attack. In this scenario, attackers captured a legitimate email originally generated by Google, complete with a valid DKIM signature, and replayed it to new victims.
Wig adds: “Because DKIM only validates that the content of the message and headers haven’t been tampered with — not the actual source or intention of the sender — Gmail’s filters interpreted the email as legitimate. Moreover, the email was sent from “no-reply@google.com”, passed SPF, DKIM, and DMARC checks, and even appeared in the same thread as genuine Google security alerts, further reinforcing its apparent authenticity. This underscores a critical challenge in email security: authentication mechanisms like DKIM can verify the integrity of a message, but not always its trustworthiness.”
Sheetal R Bhardwaj, executive member of Association of Certified Financial Crime Specialists (ACFCS) explains the primary reason Gmail did not flag this phishing email as spam lies in the way the attack exploits Gmail’s own infrastructure and authentication mechanisms, specifically DKIM (DomainKeys Identified Mail).
Here’s a breakdown of why this happened:
- Legitimate Sender and DKIM Signature: The email was genuinely sent from Google’s infrastructure (specifically from no-reply@accounts.google.com), as shown in the message header screenshot. DKIM is a cryptographic signature that verifies the email’s authenticity by ensuring it was sent from the claimed domain and wasn’t tampered with during transit. Since this email was sent by Google itself, it passed the DKIM check with flying colors, showing “pass with domain accounts.google.com.” Gmail’s spam filters trust emails that pass DKIM, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks, as these are strong indicators of legitimacy.
- DKIM Replay Attack: The attackers used a clever technique known as a DKIM replay attack. They created a Google Account and an OAuth application with a name that mimics a phishing message. When they granted their OAuth app access to their account, Google automatically sent a “Security Alert” email to the account, which is a legitimate email signed with Google’s DKIM key. The attackers then forwarded this email to the victim using a custom SMTP relay (Jellyfish) and Namecheap’s PrivateEmail infrastructure. Because the email retained its valid DKIM signature from Google, Gmail saw it as a legitimate message and didn’t flag it as spam.
- Lack of Contextual Analysis: While Gmail’s spam filters are advanced, they often rely heavily on authentication signals like DKIM, SPF, and DMARC rather than deep contextual analysis of the email’s content or intent. In this case, the email appeared to be a standard Google security alert, which Gmail is programmed to treat as high-priority and trustworthy. The content itself didn’t raise red flags because it was a real Google email—just repurposed maliciously.
- Bypassing Behavioral Filters: Gmail’s spam filters also look for suspicious patterns, such as emails from unknown senders or those with malicious links. However, since this email came from Google’s own domain and didn’t contain overtly malicious content (the phishing link likely appeared in a follow-up step after redirection), it didn’t trigger Gmail’s behavioral or content-based filters.
— nicksdjohnson (@nicksdjohnson)
How should you protect yourself from this type of fraud?
Bellary from EY India shares how even if Gmail’s filters missed it, users can still protect themselves by-
- Don’t trust emails just because they “look” safe — Even if an email passes all the usual security checks (like DKIM, SPF, and DMARC), it can still be fake or dangerous.
- Be extra careful with links — Even if a link goes to a well-known site like sites.google.com, it can still lead to a scam page, especially if the email tries to scare you or rush you into logging in.
- Use multi-factor authentication (MFA) — This adds an extra layer of protection to your account, so even if someone gets your password, they still can’t get in easily.
- Don’t click suspicious links — If you get an alert email, don’t click on links in the message. Instead, open your browser and go directly to the website (like Google.com) to check for issues.
- Help stop scams — If you see a suspicious email in Gmail, click “Report phishing” so Google can improve its filters and protect others.
