In a sophisticated phishing campaign (using google Oauth), hackers have discovered a way to send fake emails that appear to come from Google itself. These messages pass standard email security checks such as DomainKeys Identified Mail (DKIM), making them look highly convincing—even to tech-savvy users.
How the Phishing Attack Works
The attackers exploited a flaw in Google’s DKIM system, using Google’s own infrastructure to send emails that looked authentic. One such email appeared to come from no-reply@google.com, a trusted Google email address. The message passed all verification checks and was even grouped with other legitimate security alerts from Google, increasing the chances of users falling for the scam.
The email redirected users to a fake Google support portal, asking them to log in with their Google account credentials. Although the portal was hosted on sites.google.com, which is a legitimate Google-owned domain, it was not the official login site, accounts.google.com. This subtle difference was the only clue that the email was part of a phishing scam.
Real Case: Targeting Ethereum Developer
The phishing attempt was discovered by Nick Johnson, a developer of the Ethereum Name Service (ENS). He received a fake security alert claiming there was a subpoena requesting access to his Google account data. The message was structured so well that even Google’s email system placed it with legitimate alerts in his inbox.
What raised Johnson’s suspicion was the URL of the support portal. Although it looked identical to the real one, it was hosted on sites.google.com, not the typical Google login page. “The only hint it’s a phish is that it’s hosted on sites.google.com instead of accounts.google.com,” Johnson noted.
DKIM Replay Attack: The Clever Trick
The attackers used a method called a DKIM replay phishing attack. Here’s how it worked:
The attacker first created a new domain and a Gmail account with a name like me@domain.com. The “me” username tricks Gmail into displaying the message as if it’s addressed to the user.
They then created a Google OAuth app with the phishing message embedded in its name. They added lots of white space to hide the Google-generated warning about app permissions.
Next, they granted their OAuth app access to the email address associated with the app. When this happens, Google automatically sends a security alert email, confirming that a new app has been granted access.
Since the email was generated by Google, it is DKIM-signed and passes all security checks.
The attacker then forwarded this legitimate-looking alert to victims, making it seem like Google itself sent the email.
Because DKIM verification only checks the message body and headers—but not the envelope or true sender—the spoofed email passed all validation checks. This makes it appear completely legitimate to the recipient.
Broader Abuse: PayPal Users Also Targeted
This technique isn’t limited to Google. In March, a similar phishing strategy targeted PayPal users. In that campaign, attackers used PayPal’s “gift address” feature to insert a phishing message in the confirmation email.
Here’s how it worked:
When adding a new email to a PayPal account, the attacker filled one field with their email and pasted the phishing content into another.
PayPal then sent a confirmation email to the attacker, which was automatically signed and sent from PayPal’s servers.
The attacker forwarded this email to a mailing list of potential victims, making it look like a real PayPal notification.
Just like in the Google case, the email passed DKIM checks, making it look authentic to spam filters and users alike.
Google’s Response and Ongoing Fix
Nick Johnson submitted a bug report to Google, detailing the issue. Initially, Google replied that the system was working as intended. However, after further review, Google acknowledged the risk and has begun working on a fix for the OAuth loophole that allows this abuse.
Meanwhile, email security company EasyDMARC published a detailed breakdown of the DKIM replay attack, offering technical insights into how the scheme works and how organizations can protect themselves.
What Users Should Know and Do
To avoid falling victim to similar phishing attacks, users should:
Always check the URL of any login page. Official Google logins will be under accounts.google.com.
Be cautious of emails that request urgent action or sensitive information, even if they appear to come from trusted sources.
Use multi-factor authentication (MFA) to add another layer of security to online accounts.
Pay attention to email headers and be suspicious of emails with mismatched display names and sender addresses.
Final Thoughts
This incident highlights how even major platforms like Google and PayPal can unintentionally become tools in the hands of cybercriminals. While Google is working on a solution, users and organizations must remain vigilant. Understanding the mechanics behind DKIM replay phishing can help improve detection and prevent credential theft.
By staying informed and cautious, users can better protect their data from even the most convincing scams.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical CVE-2025-2492 ASUS Warns of 9.2-Rated AiCloud Vulnerability