Hackers Send Phishing Emails via [email protected]
A disturbing new campaign has emerged, where phishing emails from [email protected] are making their way into users’ Gmail inboxes—appearing completely authentic and evading all conventional spam filters. This sophisticated attack uses a combination of Google OAuth manipulation and DKIM replay attacks to hijack Google’s own email infrastructure for malicious purposes.
🎯 How the Attack Works
1. Baiting via OAuth
Hackers create a Google Workspace account and register a fake OAuth app. They disguise phishing content by placing it directly in the app name field.
2. Google Triggers the Email
Once a user interacts with this fake app, Google automatically sends a security email to the user warning of new app access. The phishing message is embedded within this email’s metadata—disguised as the app name.
3. Authenticated and Undetectable
The email is digitally signed with DKIM, confirming it was genuinely sent by Google. This signature allows it to bypass all spam filters effortlessly.
4. Fake Support Pages on Google Sites
Users are redirected to spoofed Google Sites pages that mimic official Google help pages, where login details are silently harvested.
⚠️ Why It’s So Dangerous
- Trusted Source: Comes directly from a Google server ([email protected]).
- Properly Authenticated: Carries a valid DKIM signature—used by spam filters to verify legitimate messages.
- Hosted on Google’s Own Platforms: The phishing page sits on sites.google.com, making it seem even more official.
- Difficult to Detect: Even tech-savvy users may fall victim due to the familiar format and trusted URLs.
🛡️ Google’s Response
Initially dismissing the attack as “working as intended,” Google has since acknowledged the misuse after cybersecurity experts like Nick Johnson raised the alarm. The company has confirmed that mitigation steps are now underway to block such abuse vectors.
🔐 How to Stay Safe
✅ Enable Two-Factor Authentication (2FA): Use passkeys or an authenticator app to protect against credential theft.
✅ Review Third-Party Access: Navigate to Google Account → Security → Third-party apps and remove suspicious apps.
✅ Scrutinize Email Links: Hover over links to preview them before clicking. When in doubt, visit the website manually.
✅ Be Wary of Urgency: Watch out for threatening language like “Account compromised”—a known phishing tactic.
✅ Report Phishing: Use Gmail’s “Report phishing” option to alert Google.
🔍 Final Thoughts
This phishing campaign is a masterclass in exploiting trust, leveraging Google’s infrastructure to trick even the most cautious users. As phishing emails from [email protected] continue to circulate, it’s more important than ever to stay alert and follow cybersecurity best practices.
