In a sophisticated phishing campaign, attackers exploited Google’s OAuth infrastructure and DKIM email authentication to send fraudulent emails appearing to originate from [email protected]. These emails bypassed standard security checks, including SPF, DKIM, and DMARC, and directed victims to phishing pages hosted on Google Sites. The attack highlights a critical weakness in how email forwarding and OAuth app permissions can be abused to impersonate trusted entities.
Summary for Security Leaders
This attack leveraged a combination of DKIM replay and OAuth app abuse to create highly convincing phishing emails. Attackers forwarded legitimate Google security alerts—complete with valid DKIM signatures—to victims, making the emails appear authentic. The phishing pages, hosted on Google’s own infrastructure, further evaded detection by blending into trusted domains. Below is a concise overview of the key points:
- Attack Vector: DKIM replay via forwarded emails and OAuth app impersonation.
- Payload: Fake subpoena alerts or security warnings linking to credential-harvesting Google Sites pages.
- Impact: High success rate due to bypassing email filters and exploiting trust in Google domains.
- Mitigation: Verify URLs, monitor OAuth app permissions, and enforce strict DMARC policies.
Technical Breakdown of the Attack
The attackers began by creating Google OAuth apps with phishing messages embedded in the app name. When these apps triggered legitimate Google security alerts, the emails included valid DKIM signatures from Google’s servers. By forwarding these emails to victims, the attackers preserved the DKIM signatures, making the messages appear genuine. The From: address was spoofed as [email protected], while the mailed-by header revealed a non-Google domain (e.g., fwd-04-1.fwd.privateemail.com).
The phishing links led to pages hosted on sites.google.com, which mimicked Google’s support portals. Because the domain belonged to Google, security tools and users were less likely to flag it as malicious. This technique mirrors earlier attacks targeting PayPal, where gift address forwarding was used to bypass filters.
Relevance to Security Professionals
For defenders, this attack underscores the importance of scrutinizing email headers—even when DKIM and SPF checks pass. The mailed-by field can reveal discrepancies between the sender’s domain and the forwarding service. Additionally, monitoring OAuth app permissions is critical, as attackers increasingly abuse legitimate platforms to host phishing content.
Red teams can learn from this attack’s evasion techniques, particularly the use of trusted domains for hosting malicious payloads. Simulating similar campaigns in penetration tests can help organizations identify gaps in their email security and user awareness training.
Remediation and Best Practices
To mitigate such attacks, organizations should:
- Enforce DMARC policies with
p=rejectto block unauthorized email forwarding. - Train users to inspect URLs for subtle discrepancies (e.g.,
accounts.google.comvs.sites.google.com). - Audit OAuth apps for suspicious permissions or naming conventions.
Conclusion
This campaign demonstrates how attackers exploit trusted platforms to bypass security controls. While Google has since addressed some of these vulnerabilities, the incident serves as a reminder that even robust systems can be weaponized. Continuous monitoring, user education, and layered defenses are essential to counter such threats.
References
- “Phishers Abuse Google OAuth to Spoof Google in DKIM Replay Attack,” BleepingComputer.
- “Google Spoofed via DKIM Replay Attack: A Technical Breakdown,” EasyDMARC.
- “Google Spoofed via DKIM Replay Attack and OAuth Infrastructure Flaw Exploit,” TechNadu.
- “Phishers Abuse Google OAuth in DKIM Replay Attack,” GIGAZINE.
