A new wave of highly convincing phishing emails impersonating Google has emerged, exploiting DKIM replay attacks and Google’s own infrastructure to bypass traditional email security measures. These scams have affected over 500,000 users globally, with losses exceeding $10 million, according to aggregated reports from ZDNet and Business Today. This article breaks down the technical mechanics, Google’s response timeline, and actionable mitigation strategies.
Executive Summary for Security Leaders
The attacks leverage intercepted DKIM signatures from legitimate Google emails (e.g., [email protected]) to spoof authenticity, while phishing pages hosted on Google Sites abuse SSL certificates for credibility. Google patched the DKIM replay vulnerability in April 2025 after initially dismissing researcher reports, as noted by Business Today.
- Attack Vector: DKIM replay + Google Sites JavaScript abuse
- Impact: Credential theft, financial losses (₹2 “verification fee” scams in India)
- Google’s Patch: Disabled arbitrary scripts on Google Sites and deployed DKIM replay detection
Technical Breakdown of the Scam
The phishing campaign uses a multi-stage approach:
- Email Spoofing: Attackers replay DKIM signatures from legitimate Google emails, modifying content to include fake legal threats or account alerts. EasyDMARC’s technical analysis confirms the use of intercepted headers to bypass SPF/DKIM checks.
- Hosting: Phishing pages are hosted on
sites.google.com/view/[random-string], leveraging Google’s SSL certificates. PCMag reports that attackers embedded JavaScript for real-time credential harvesting. - AI Escalation: Follow-up calls use AI voice cloning to impersonate Google support, increasing victim compliance (GB News).
| Component | Vulnerability | Source |
|---|---|---|
| DKIM Signatures | Replay attacks bypass email authentication | EasyDMARC |
| Google Sites | Arbitrary JavaScript execution | PCMag |
Mitigation Strategies
For organizations relying on Google Workspace:
“Cross-check email headers via Gmail’s ‘Show original’ option for DKIM domain mismatches. Isolate suspicious links in browser sandboxes like Chrome’s Guest Mode.” — ZDNet
Google now prioritizes passkeys over SMS 2FA due to SIM-swapping risks. Administrators should enforce this via chrome://settings/passkeys.
Relevance to Security Teams
Red teams can simulate these attacks by:
- Testing DKIM replay detection in email gateways
- Auditing Google Sites for unauthorized script embeds
Blue teams should monitor for:
- Unusual redirects to
sites.google.comdomains - AI-generated voice call logs tied to credential changes
Conclusion
This campaign highlights the risks of trusted platforms being weaponized. While Google’s patches address immediate threats, continuous monitoring of email headers and user education remain critical. Future exploits may target other SaaS providers with similar replay techniques.
References
- “New Google email scams are alarmingly convincing – how to spot them”. ZDNet. 2025.
- “Watch Out: Sophisticated Phishing Email from ‘Google'”. PCMag. 2025.
- “Warning for Gmail Users: Google’s Own Tools Used in Major Phishing Scam”. Business Today. 2025.
- “Gmail Users Targeted by Fake PayPal Emails in New Scam”. The Sun. 2025.
- “Google Spoofed via DKIM Replay Attack: A Technical Breakdown”. EasyDMARC. 2025.
- “Gmail Scam Alert: AI Calls Follow Fake ‘No-Reply’ Emails”. GB News. 2025.
