Do Son 
Hackers have discovered a method to deceive users by sending emails that appear to originate directly from Google, yet in reality contain links to counterfeit websites designed for data theft. The crux of the attack lies in the message passing DKIM (DomainKeys Identified Mail) authentication, as though it had genuinely been dispatched from Google’s own infrastructure—making it particularly perilous for unsuspecting recipients.
Victims receive what seems to be an official notification from Google, often warning of a law enforcement data request. The message is sent from the address “no-reply@google.com” and bears all the familiar hallmarks of a legitimate alert: a valid DKIM signature, placement within an ongoing thread of genuine security messages, and design elements that flawlessly mimic the official format.
Developer Nick Johnson was among those targeted and was quick to detect something amiss. The sole detail that raised his suspicion was the address of the counterfeit “support portal”: instead of the expected accounts.google.com, the link pointed to sites.google.com—a free platform for hosting webpages. This allowed attackers to convincingly cloak a phishing clone of the real Google interface.
As it turned out, the attackers had exploited a technique known as DKIM replay. They created a Google account with an email formatted as “me@domain,” where the domain could be anything, as long as it appeared credible. Then, an OAuth application was registered under a name matching that of the phishing email. Within the message body, strategic spacing was inserted to separate the content from Google’s automatic system alerts, creating the illusion of a complete and finalized communication.
The attackers then granted the OAuth application access to their own account, prompting Google to automatically generate a security notification. Since the sender was legitimately Google’s own system, the DKIM signature validated the authenticity, and the email appeared entirely legitimate. The final step was to forward this message to the intended victim. Due to a manipulation involving the “me@” address format, Gmail displayed the message as though it had been sent directly to the recipient.
The fundamental vulnerability lies in the fact that DKIM validates only the contents and headers of an email, not the envelope—the metadata that governs the actual routing path. This oversight creates an exploitable gap, particularly when the email originates from a domain under the attacker’s control but is signed by a trusted service like Google.
This same exploit mechanism had previously been employed in phishing campaigns targeting PayPal users. In March, a coordinated attack was recorded where hackers leveraged the ability to add a “gift address” within PayPal accounts. One field contained the email address, while the other carried the phishing message. PayPal would then dispatch a confirmation email to the specified address, which attackers repurposed into a mass mailing of deceptive alerts to prospective victims. Once again, the DKIM signature was genuine, as the message was transmitted directly from PayPal’s servers.
The company EasyDMARC has published a technical analysis of this vulnerability, detailing the step-by-step attack methodology. Although Google initially claimed its systems were functioning as intended, it has since acknowledged the potential risks and has begun efforts to address the OAuth-related loophole.
