Hackers Spoof Google's No-Reply Email
As reported by Bleeping Computer, in a clever phishing campaign, attackers managed to send emails that appeared to come directly from Google, passing all verification checks, including DKIM. The phishing emails were crafted using legitimate security alerts originally generated and DKIM-signed by Google, making them appear authentic even as they directed users to a fake Google support portal.
How the Scam Was Discovered
The attack was reported by Nick Johnson, lead developer of the Ethereum Name Service (ENS), after he received what looked like a routine security alert from Google. The message claimed a subpoena had been issued for the contents of his Google account, something obviously serious enough to demand immediate attention.
Everything about the email appeared authentic. It came from “[email protected]” was grouped with other real security notifications, and passed DKIM authentication. For a less technical user, there would be no clear signs of fraud.
But Johnson noticed a small detail, the link led to a support portal hosted on sites.google.com, not accounts.google.com. The page was a perfect replica of the real thing, and the only indication it was fake was the domain.
How They Bypassed Google's Authentication
What made this phishing attempt especially dangerous wasn’t just the look of the fake portal, it was how the email made it to the inbox in the first place. The attackers used a DKIM replay phishing technique, abusing how Google handles OAuth app notifications.
According to Johnson, the attackers first created a domain and registered a Google account using a deceptive address like me@domain. They then created a custom OAuth app and named it with the full phishing message, including enough whitespace to separate the real Google notification from the app’s name.
When Google generated a security alert for that OAuth app, it was signed with a valid DKIM key. The attacker simply forwarded that signed message to victims, making it appear as though it was genuinely sent by Google.
Because DKIM validates the message and headers, not the envelope used to deliver the email, it passed authentication checks. And since Gmail interpreted “me@” as being addressed to the recipient, it looked even more convincing.
Google Responds, Working on Fixes
Johnson submitted a report to Google, which initially responded that the system was functioning as expected. However, after further review, the company acknowledged the risk and is now working on changes to prevent this type of abuse. Email authentication firm EasyDMARC also examined the case and confirmed the technique.
This isn’t the first time this tactic has been used. In a similar campaign earlier this year, attackers exploited PayPal’s systems to send DKIM-signed phishing emails by abusing the “gift address” feature. They injected phishing content into a secondary field, triggering a confirmation email from PayPal’s own servers that was then forwarded to victims. Like the Google campaign, the email passed verification and looked completely legitimate.
By exploiting legitimate infrastructure and authentication mechanisms, these attacks demonstrate just how difficult it’s becoming to spot real from fake. Even seasoned professionals can be caught off guard, and for everyone else, it’s an increasingly dangerous guessing game.
To better protect yourself and your organization, check out our article on how to minimize phishing attacks.
