{"id":3452,"date":"2025-04-23T11:24:29","date_gmt":"2025-04-23T11:24:29","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3452"},"modified":"2025-05-26T11:27:35","modified_gmt":"2025-05-26T11:27:35","slug":"beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/","title":{"rendered":"Beware: New Phishing Attacks Exploit Google&#8217;s DKIM to Trick Gmail Users"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-about-the-incidence\">About the Incidence<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cybercriminals are using a new technique to run their phishing campaigns. This advanced phishing attack bypasses Gmail\u2019s security filters. The phishing email seems to be genuine because the form address in the email is \u201c<strong>no-reply@google.com<\/strong>\u201d and it\u2019s a valid signed email.<\/p>\n\n\n\n<p class=\"quote-section wp-block-paragraph\">The attack was discovered by \u201cNick Johnson\u201d, the lead developer of the Ethereum Name Service (ENS), and he posted a detailed analysis on his <a href=\"https:\/\/x.com\/nicksdjohnson\/status\/1912439023982834120\">X<\/a> account. The phishing mail passes the DKIM signature check and displays it without any warning.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The phishing email claims that your Gmail account is under review because of recent activity. It urges you to confirm your account by clicking a &#8220;<strong>Review Activity<\/strong>&#8221; button and uses urgency by warning that your account will be suspended within 24 hours if you don\u2019t respond.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"753\" height=\"584\" src=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-png.webp\" alt=\"Google Phishing Scam\" class=\"wp-image-3454\" srcset=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-png.webp 753w, https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-300x233.webp 300w\" sizes=\"(max-width: 753px) 100vw, 753px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center has-extra-small-font-size wp-block-paragraph\">Source: <a href=\"https:\/\/x.com\/nicksdjohnson\/status\/1912439027224944676\/photo\/1\">https:\/\/x.com\/nicksdjohnson\/status\/1912439027224944676\/photo\/1<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During further investigation, it was found that when the user clicks on the phishing mail, it redirects them to the <strong>Google account login page<\/strong>. After logging in, or if you have already logged in, it sends you to another page that claims to be a <strong>\u201cGoogle support page\u201d<\/strong>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But in reality, they are fake <strong>phishing pages<\/strong>; they are using the Google subdomain \u201c<strong>sites.google.com<\/strong>\u201d.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-exactly-is-sites-google-com\">What Exactly is sites.google.com?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attacker uses a Google subdomain (\u201csites.google.com\u201d) for the attack. It is a free website-building platform provided by Google. It allows users to create simple, basic websites. It&#8217;s especially useful for creating personal websites, project portfolios, or team collaboration pages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">They use it to run their phishing campaign and host the phishing page. When a victim of the attack visits the site and is not aware of this Google subdomain, they think that it\u2019s legitimate because of the official Google subdomain and enter their login credentials.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/phishing-attacks-explained-how-to-spot-and-prevent-online-scams\/\">Phishing Attacks: How to Spot and Prevent Online Scams?<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The host content on this Google subdomain is totally free, you just need a Google account. The threat actors misuse it to run their phishing campaign because it gives them a Google-owned domain (to look genuine and <a href=\"https:\/\/certera.com\/blog\/what-is-social-engineering-techniques-examples-best-practices-preventions\/\">social engineering<\/a>) and Google SSL certificate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-understanding-the-attack-further\">Understanding the Attack Further<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, the first question on your mind is how the attacker was able to bypass the DKIM signature filter. <a href=\"https:\/\/certera.com\/blog\/what-is-dkim-dmarc-and-spf-the-ultimate-guide-on-email-autentication-protocols\/\">DKIM<\/a> adds a digital signature to the headers of an email, allowing the recipient to verify that the email was sent by the domain it claims to come from and that its content wasn\u2019t altered in transit.<\/p>\n\n\n\n<p class=\"quote-section wp-block-paragraph\">The attacker uses a DKIM Replay Attack for this. In this attack, an attacker takes a legitimately signed DKIM email (e.g., a newsletter or promotional message) and re-sends it\u2014or &#8220;replays&#8221; it\u2014multiple times, possibly with slight changes to the recipients or headers, but without invalidating the DKIM signature.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because the only change is in the envelope-level &#8220;RCPT TO&#8221; (i.e., the actual destination email). DKIM doesn\u2019t sign that \u2014 it only signs <strong>what\u2019s<\/strong> <strong>inside the email<\/strong>. So, if the attacker takes a DKIM-signed message that was originally addressed to <strong>\u201cme@phishingalerts.net\u201d<\/strong>, and sends it to <strong>victim@gmail.com<\/strong>, that <strong>doesn\u2019t affect the signature<\/strong>, because. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong>\u201cTo:\u201d<\/strong> <strong>header<\/strong> (in the visible email body) still says me@phishingalerts.net. The DKIM signature remains valid. The envelope recipient has changed, but that\u2019s <strong>not part of the DKIM hash<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-so-what-s-happening-here\">So What\u2019s happening Here?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attacker receives a legitimate email from Google (to their fake <a href=\"mailto:me@phishingalerts.net\">me@phishingalerts.net<\/a>). Then they make their own Google app. This triggers a security alert email from Google, sent to their inbox.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read: <\/strong><a href=\"https:\/\/certera.com\/blog\/what-is-dmarc-fail-how-to-know-and-fix-dmarc-failure-error\/\">What is DMARC Fail? How to Know and Fix DMARC Failure?<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">They don\u2019t change the content or headers (so DKIM stays valid). They forward it as a raw message through their own SMTP server (Jellyfish). Since nothing is modified in the email body or headers that are signed by DKIM, the DKIM signature still validates correctly when the victim\u2019s inbox receives it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-why-does-it-not-show-forwarded-in-the-email\">Why does it NOT show \u201cForwarded\u201d in the email?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is the smart part of the attack. Normally, when you click \u201cForward\u201d in Gmail or Outlook, it adds a \u201cFWD:\u201d tag and changes the email structure. But in this attack, the attacker doesn\u2019t use the normal &#8220;forward&#8221; button. They replay the raw email using their own SMTP server.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-this-attack-was-so-effective\">Why This Attack Was So Effective?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s be honest, most phishing emails are easy to spot. Misspelt words, weird sender addresses, weird links. But not this one. This one felt different. This one felt\u2026 official. <strong>The email was spoofed so cleverly, it seems to have actually come from Google\u2019s own servers.<\/strong> Even it tricked Gmail and gave it the green light \u2014 no alerts, no flags, nothing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And the phishing site? It wasn\u2019t hiding behind some random .xyz domain. It was hosted on sites.google.com \u2014 a legit Google subdomain. That makes it more difficult to detect this attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Phishing attacks aren\u2019t what they used to be. They\u2019re no longer riddled with typos or coming from sketchy email addresses. Today\u2019s attackers are leveling up\u2014using trusted platforms like Google\u2019s own domains and clever techniques like <strong>DKIM replay to sneak <\/strong>past even Gmail\u2019s security filters.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s scary, right? But here\u2019s the deal: if something feels off, don\u2019t click. Don\u2019t trust. And don\u2019t enter your login info without thinking twice. Use a sandbox environment if you need to test it safely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>And yes, a lot of people ask\u2014\u201cBut what about 2FA? Doesn\u2019t that protect me?\u201d<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/certera.com\/blog\/what-is-multi-factor-authentication-difference-between-2fa-mfa\/\">2FA<\/a> is great. It adds a strong extra layer. But it\u2019s not bulletproof. Tools like Evilginx can still bypass it if you fall for a well-crafted phishing trap.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/rockstar-2fa-a-growing-threat-in-phishing-as-a-service\/\">Rockstar 2FA: A Growing Threat in Phishing-as-a-Service<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>About the Incidence Cybercriminals are using a new technique to run their phishing campaigns. This advanced phishing attack bypasses Gmail\u2019s security filters. The phishing email seems to be genuine because the form address in the email is \u201cno-reply@google.com\u201d and it\u2019s a valid signed email. The attack was discovered by \u201cNick Johnson\u201d, the lead developer of<span class=\"morelink d-block mt-3\"><a href=\"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":3456,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[665,664,666],"class_list":["post-3452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attack","tag-gmail-scam","tag-google-dkim-replay-attack","tag-google-phishing-attack","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Google Spoofed Via DKIM Replay Attack: Don&#039;t Open This Email<\/title>\n<meta name=\"description\" content=\"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Google Spoofed Via DKIM Replay Attack: Don&#039;t Open This Email\" \/>\n<meta property=\"og:description\" content=\"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/\" \/>\n<meta property=\"og:site_name\" content=\"EncryptedFence by Certera - Web &amp; Cyber Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/certeraLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-23T11:24:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-26T11:27:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"620\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:site\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\"},\"headline\":\"Beware: New Phishing Attacks Exploit Google&#8217;s DKIM to Trick Gmail Users\",\"datePublished\":\"2025-04-23T11:24:29+00:00\",\"dateModified\":\"2025-05-26T11:27:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/\"},\"wordCount\":979,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/gmail-dkim-replay-attack.webp\",\"keywords\":[\"Gmail Scam\",\"Google DKIM Replay Attack\",\"Google Phishing Attack\"],\"articleSection\":[\"Cyber Attack\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/\",\"name\":\"Google Spoofed Via DKIM Replay Attack: Don't Open This Email\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/gmail-dkim-replay-attack.webp\",\"datePublished\":\"2025-04-23T11:24:29+00:00\",\"dateModified\":\"2025-05-26T11:27:35+00:00\",\"description\":\"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/gmail-dkim-replay-attack.webp\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/gmail-dkim-replay-attack.webp\",\"width\":960,\"height\":620,\"caption\":\"Gmail DKIM Replay Attack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certera.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Beware: New Phishing Attacks Exploit Google&#8217;s DKIM to Trick Gmail Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"name\":\"EncryptedFence by Certera - Web & Cyber Security Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"alternateName\":\"Certera's EncryptedFence Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certera.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\",\"name\":\"Certera\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"caption\":\"Certera\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/certeraLLC\\\/\",\"https:\\\/\\\/x.com\\\/certera_llc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/certera-llc\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\\\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.\",\"sameAs\":[\"https:\\\/\\\/certerassl.com\\\/\"],\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/author\\\/certerabguser\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Google Spoofed Via DKIM Replay Attack: Don't Open This Email","description":"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/","og_locale":"en_US","og_type":"article","og_title":"Google Spoofed Via DKIM Replay Attack: Don't Open This Email","og_description":"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.","og_url":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/","og_site_name":"EncryptedFence by Certera - Web &amp; Cyber Security Blog","article_publisher":"https:\/\/www.facebook.com\/certeraLLC\/","article_published_time":"2025-04-23T11:24:29+00:00","article_modified_time":"2025-05-26T11:27:35+00:00","og_image":[{"width":960,"height":620,"url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@certera_llc","twitter_site":"@certera_llc","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#article","isPartOf":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/"},"author":{"name":"Janki Mehta","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7"},"headline":"Beware: New Phishing Attacks Exploit Google&#8217;s DKIM to Trick Gmail Users","datePublished":"2025-04-23T11:24:29+00:00","dateModified":"2025-05-26T11:27:35+00:00","mainEntityOfPage":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/"},"wordCount":979,"commentCount":0,"publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"image":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp","keywords":["Gmail Scam","Google DKIM Replay Attack","Google Phishing Attack"],"articleSection":["Cyber Attack"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/certera.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/","url":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/","name":"Google Spoofed Via DKIM Replay Attack: Don't Open This Email","isPartOf":{"@id":"https:\/\/certera.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#primaryimage"},"image":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp","datePublished":"2025-04-23T11:24:29+00:00","dateModified":"2025-05-26T11:27:35+00:00","description":"Google Domains Abused: DKIM Replay Attack Delivers Phishing Emails. Know How Attackers Used DKIM Replay and Google Sites to Fool Gmail Users.","breadcrumb":{"@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#primaryimage","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/04\/gmail-dkim-replay-attack.webp","width":960,"height":620,"caption":"Gmail DKIM Replay Attack"},{"@type":"BreadcrumbList","@id":"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certera.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Beware: New Phishing Attacks Exploit Google&#8217;s DKIM to Trick Gmail Users"}]},{"@type":"WebSite","@id":"https:\/\/certera.com\/blog\/#website","url":"https:\/\/certera.com\/blog\/","name":"EncryptedFence by Certera - Web & Cyber Security Blog","description":"","publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"alternateName":"Certera's EncryptedFence Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certera.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/certera.com\/blog\/#organization","name":"Certera","url":"https:\/\/certera.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","caption":"Certera"},"image":{"@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/certeraLLC\/","https:\/\/x.com\/certera_llc","https:\/\/www.linkedin.com\/company\/certera-llc\/"]},{"@type":"Person","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.","sameAs":["https:\/\/certerassl.com\/"],"url":"https:\/\/certera.com\/blog\/author\/certerabguser\/"}]}},"_links":{"self":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/comments?post=3452"}],"version-history":[{"count":5,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3452\/revisions"}],"predecessor-version":[{"id":3613,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3452\/revisions\/3613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media\/3456"}],"wp:attachment":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media?parent=3452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/categories?post=3452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/tags?post=3452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}