(3 votes, average: 5.00 out of 5)
Loading...Beware: New Phishing Attacks Exploit Google’s DKIM to Trick Gmail Users
(3 votes, average: 5.00 out of 5)Loading...
About the Incidence
Cybercriminals are using a new technique to run their phishing campaigns. This advanced phishing attack bypasses Gmail’s security filters. The phishing email seems to be genuine because the form address in the email is “[email protected]” and it’s a valid signed email.
The attack was discovered by “Nick Johnson”, the lead developer of the Ethereum Name Service (ENS), and he posted a detailed analysis on his X account. The phishing mail passes the DKIM signature check and displays it without any warning.
The phishing email claims that your Gmail account is under review because of recent activity. It urges you to confirm your account by clicking a “Review Activity” button and uses urgency by warning that your account will be suspended within 24 hours if you don’t respond.
Source: https://x.com/nicksdjohnson/status/1912439027224944676/photo/1
During further investigation, it was found that when the user clicks on the phishing mail, it redirects them to the Google account login page. After logging in, or if you have already logged in, it sends you to another page that claims to be a “Google support page”.
But in reality, they are fake phishing pages; they are using the Google subdomain “sites.google.com”.
What Exactly is sites.google.com?
The attacker uses a Google subdomain (“sites.google.com”) for the attack. It is a free website-building platform provided by Google. It allows users to create simple, basic websites. It’s especially useful for creating personal websites, project portfolios, or team collaboration pages.
They use it to run their phishing campaign and host the phishing page. When a victim of the attack visits the site and is not aware of this Google subdomain, they think that it’s legitimate because of the official Google subdomain and enter their login credentials.
Also Read: Phishing Attacks: How to Spot and Prevent Online Scams?
The host content on this Google subdomain is totally free, you just need a Google account. The threat actors misuse it to run their phishing campaign because it gives them a Google-owned domain (to look genuine and social engineering) and Google SSL certificate.
Understanding the Attack Further
Now, the first question on your mind is how the attacker was able to bypass the DKIM signature filter. DKIM adds a digital signature to the headers of an email, allowing the recipient to verify that the email was sent by the domain it claims to come from and that its content wasn’t altered in transit.
The attacker uses a DKIM Replay Attack for this. In this attack, an attacker takes a legitimately signed DKIM email (e.g., a newsletter or promotional message) and re-sends it—or “replays” it—multiple times, possibly with slight changes to the recipients or headers, but without invalidating the DKIM signature.
Because the only change is in the envelope-level “RCPT TO” (i.e., the actual destination email). DKIM doesn’t sign that — it only signs what’s inside the email. So, if the attacker takes a DKIM-signed message that was originally addressed to “[email protected]”, and sends it to [email protected], that doesn’t affect the signature, because.
The “To:” header (in the visible email body) still says [email protected]. The DKIM signature remains valid. The envelope recipient has changed, but that’s not part of the DKIM hash.
So What’s happening Here?
The attacker receives a legitimate email from Google (to their fake [email protected]). Then they make their own Google app. This triggers a security alert email from Google, sent to their inbox.
Also Read: What is DMARC Fail? How to Know and Fix DMARC Failure?
They don’t change the content or headers (so DKIM stays valid). They forward it as a raw message through their own SMTP server (Jellyfish). Since nothing is modified in the email body or headers that are signed by DKIM, the DKIM signature still validates correctly when the victim’s inbox receives it.
Why does it NOT show “Forwarded” in the email?
This is the smart part of the attack. Normally, when you click “Forward” in Gmail or Outlook, it adds a “FWD:” tag and changes the email structure. But in this attack, the attacker doesn’t use the normal “forward” button. They replay the raw email using their own SMTP server.
Why This Attack Was So Effective?
Let’s be honest, most phishing emails are easy to spot. Misspelt words, weird sender addresses, weird links. But not this one. This one felt different. This one felt… official. The email was spoofed so cleverly, it seems to have actually come from Google’s own servers. Even it tricked Gmail and gave it the green light — no alerts, no flags, nothing.
And the phishing site? It wasn’t hiding behind some random .xyz domain. It was hosted on sites.google.com — a legit Google subdomain. That makes it more difficult to detect this attack.
Conclusion
Phishing attacks aren’t what they used to be. They’re no longer riddled with typos or coming from sketchy email addresses. Today’s attackers are leveling up—using trusted platforms like Google’s own domains and clever techniques like DKIM replay to sneak past even Gmail’s security filters.
That’s scary, right? But here’s the deal: if something feels off, don’t click. Don’t trust. And definitely don’t enter your login info without thinking twice. Use a sandbox environment if you need to test it safely.
And yes, a lot of people ask—“But what about 2FA? Doesn’t that protect me?”
2FA is great. It adds a strong extra layer. But it’s not bulletproof. Tools like Evilginx can still bypass it if you fall for a well-crafted phishing trap.
Also Read: Rockstar 2FA: A Growing Threat in Phishing-as-a-Service
