A new phishing campaign is exploiting a loophole in Google’s email authentication system, allowing attackers to send DKIM-signed emails that appear to come from legitimate Google addresses. These messages pass all standard authentication checks—including SPF, DKIM, and DMARC—and are delivered to Gmail inboxes without warning, often grouped with real Google security alerts.
The campaign was first flagged by Nick Johnson, lead developer of the Ethereum Name Service (ENS), who received one of these spoofed messages claiming that law enforcement had issued a subpoena for his Google account data.
Google Sites Used to Host Phishing Pages
The phishing message contains a link to a page hosted on sites.google.com, a legacy web hosting platform that still supports arbitrary script embeds. The linked page mimics Google’s support portal and includes options such as “upload documents” or “view case,” which redirect victims to a fraudulent Google login page designed to steal credentials.
“Sites.google.com is a legacy platform that still allows user-generated content with embedded scripts,” Johnson explained. “That makes it an easy vector for hosting lookalike phishing pages on a trusted domain.”
DKIM Replay Attack Enables Email Spoofing
The core technique used in this campaign is a DKIM replay attack. The attackers first register a new domain and create a Google account in the form of me@domain.com. Then, they craft a Google OAuth application and assign the entire phishing message as its name.
When that OAuth app is granted access to the email account, Google automatically sends a security alert to the inbox of me@domain.com. Since this alert is generated by Google, it carries a valid DKIM signature and passes all authentication checks.
The attacker then forwards this message to their victims, using mail relays that preserve the DKIM headers—making the email appear legitimate even under scrutiny. Because Gmail treats me@ as shorthand for the recipient’s address, the phishing email appears even more convincing.
Mail Routing Obscures Origin
EasyDMARC and Johnson both confirmed that attackers use infrastructure like Jellyfish SMTP and Namecheap’s PrivateEmail service to relay the phishing messages while preserving their authentication headers. This allows attackers to mask the true origin and still pass security checks.
“The success of the attack relies on the fact that Gmail prioritizes message headers and DKIM-signed content for trust—not the original envelope sender,” said EasyDMARC CEO Gerasim Hovhannisyan.
Google Responds to the Abuse
In a statement to The Hacker News, Google acknowledged the campaign and confirmed that it has rolled out fixes to block this avenue of abuse.
“We’re aware of this class of targeted attack and have deployed protections to shut down this pathway,” a Google spokesperson said. “We encourage all users to enable two-factor authentication or passkeys to further secure their accounts.”
Google also reiterated that it does not ask for account passwords or verification codes by email.
Rise in SVG-Based Phishing Campaigns
The DKIM replay scam arrives amid a broader rise in phishing attacks using SVG file attachments. These files contain embedded JavaScript that redirects users to spoofed login pages—commonly imitating Microsoft or Google services.
Kaspersky reported that more than 4,100 phishing emails using malicious SVG attachments have been observed in 2025 alone, highlighting a growing trend in highly targeted phishing methods.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
