A new phishing campaign is leveraging Google’s own systems to dispatch ultra‑convincing scam emails from genuine “[email protected]” addresses. Security experts warn this technique could ensnare millions of Gmail users before filters catch on.

Google first acknowledged the flaw in mid‑April after multiple reports surfaced of fraudulent messages masquerading as subpoena notices. The attack’s sophistication lies in its exploitation of Google’s OAuth framework and DomainKeys Identified Mail (DKIM) — allowing malicious emails to pass authentication checks that normally mark spoofed mail as spam.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more. Here’s the email I got: pic.twitter.com/tScmxj3um6

— nick.eth (@nicksdjohnson) April 16, 2025

Why It Matters:
With over 2 billion active Gmail accounts, a successful breach of trust in Google’s email infrastructure represents one of the largest‑scale phishing threats in recent memory. The campaign illustrates how attackers are escalating beyond basic spoofing to weaponize trusted platforms.

In the most prevalent variant, recipients receive an email seemingly from Google saying their account is under legal scrutiny, complete with a fake court case number and a link to review documents. Clicking the link takes victims to a counterfeit login page hosted on Google Sites, where credentials and two‑factor tokens can be harvested. According to a 9to5Mac security alert, the attackers created a malicious OAuth app that signs outgoing mail with Google’s own DKIM signature, bypassing spam filters altogether.

Several early victims described the email as indistinguishable from genuine Google correspondence. “It even used the correct Google logo and footer,” one cybersecurity researcher told Forbes, underscoring how the scam’s professional polish left users with little reason to doubt its veracity.

How the Scam Evades Defenses

To execute the scheme, attackers register an app through Google’s OAuth developer console. They configure it to send messages from a “[email protected]” address and to request only minimal permissions — just enough to harvest the user’s email and basic profile data. Once a user consents (often without reading the fine print), the app gains tokenized access to send mail on their behalf.

Next, the phishers make use of DKIM authentication, which cryptographically signs outbound mail with Google’s private key. Because the signature matches Google’s published DNS record, anti‑spoofing checks pass and the message lands in the inbox rather than the spam folder.

Worst of all, the landing page URL begins with a legitimate “sites.google.com” domain. Victims who hover over the link see “google.com” and rarely suspect the page’s true intent. Once credentials are entered, attackers can log in to the real Gmail account and install malware, exfiltrate data, or pivot to other internal systems.

Google’s Mitigation Efforts

By late April, Google deployed patches to tighten OAuth app verification and began grandfathering in stricter enforcement of its DMARC policy. A company spokesperson told Newsweek that the loophole “no longer allows unauthorized apps to spoof Google’s no‑reply address” and that “users who have not yet been targeted are automatically protected.”

Google also issued a blog post advising all Gmail users to:

• Enable Two‑Factor Authentication (2FA). Accounts using SMS or auth‑app codes are significantly harder to hijack.

• Use Passkeys. Passkeys replace passwords entirely and are immune to credential‑phishing.

• Review Connected Apps. In Gmail’s security settings, users should revoke any unfamiliar OAuth apps.

Despite these measures, experts warn that variations of the scam could emerge. “We’ve seen threat actors pivot to invite‑based sharing links and even abuse Google Forms,” said the lead analyst at a major security firm.

Broader Implications for Email Security

This incident highlights a troubling trend: attackers are moving from simple display‑name spoofing into deeper technical manipulations of trust frameworks. Last year’s surge in AI‑generated phishing made generic scams easier to craft; now, criminals are weaponizing legitimate developer tools against users.

Organizations must therefore rethink perimeter defenses. Briskfeeds recently published a report on corporate email security that recommends advanced solutions, such as:

• OAuth Anomaly Detection. Flagging apps that request minimal yet suspicious permissions.

• Zero‑Trust Email Gateways. Inspecting inbound mail even if it passes DKIM/DMARC.

• User Education Campaigns. Simulated phishing drills to train employees on spotting unconventional threats.

What Users Should Do Now

Even with Google’s patch, vigilance remains crucial:

1. Verify Unusual Requests. If an email demands urgent action—like reviewing subpoena documents—contact Google support directly rather than clicking links.

2. Check the App Permissions Page. Navigate to Gmail’s Settings → Security → Third‑Party Apps to revoke dubious entries.

3. Keep Software Updated. Ensure your browser and OS have the latest security fixes to block drive‑by downloads.

4. Report Phishing Attempts. Use Gmail’s “Report phishing” feature to help improve Google’s filters.

Conclusion

As phishing tactics evolve, the line between legitimate and malicious email continues to blur. This latest campaign underscores the need for layered defenses, from technical controls to user awareness. For a deeper dive into enterprise‑grade email protections, see our Briskfeeds report on corporate email security. Stay informed—your inbox depends on it.