Hackers have exploited a ‘vulnerability’ to conduct a phishing campaign that made it appear that the phishing email had been sent by Google from the no-reply[@]accounts.google.com address. The email was signed by Google and passed the DomainKeys Identified Mail (DKIM) authentication check, suggesting the email had been sent from a genuine Google account and was authentic, although the email had been sent from a different, non-Google address.
The campaign was identified by developer Nick Johnson, who received an email seemingly sent from no-reply[@]accounts.google.com with the subject Security Alert. The email claimed that Google LLC had been subpoenaed to obtain a copy of the contents of his Google account and that a support case had been opened and transferred to Legal Investigations Support. A support reference number was included along with a link to a Google Sites website, encouraging him to click the link to examine the case materials and “submit a protest,” if necessary, via the option on the support website.
The lure used in this phishing attempt is similar to many other phishing campaigns that threaten legal action or warn about police investigations, although what makes the attempt stand out is how the phisher managed to make the email appear to have been sent by Google and pass the DKIM authentication check, resulting in the email being delivered to his inbox.
While the subject matter was potentially serious, and the email had seemingly been sent by Google, there was a red flag that suggested a phishing attempt. As was noticed by Johnson, the link in the email did direct him to an official Google site, but it was sites.google.com, a free web-building platform provided by Google for users to create and host free web pages for personal purposes. No official email from Google would direct a user to that platform, and certainly not any message about a subpoena requiring the disclosure of the contents of their Google email account. The link directed Johnson to a fake support portal – a carbon copy of the official support portal, which had been scraped from the official site. The aim of the phish appears to have been to trick Johnson into logging in and disclosing his login credentials, allowing his Google account to be hijacked.
An analysis of the phishing attempt revealed Google was tricked into signing the email, thus allowing the message to bypass spam filtering service since the email successfully passed the DKIM and DMARC authentication checks. Closer inspection of the message header revealed the mailed-by address was different from the from address, and had been sent in what is known as a DKIM replay attack.
The message was actually sent to a me@ address at a domain that appeared to be managed by Google. According to Johnson, the attackers registered a domain and created a Google account for the me[@]domain.com, then created a Google OAuth app and used the entire phishing message for its name, which was then added to the name field. They granted themselves access to the email address in Google Workspace, then Google sent an alert to the me[@]domain.com account. The email was then forwarded to Johnson, and since the email had been generated by Google, it was able to pass the DKIM check as the parts of the message that DKIM checks had not been altered.
The vulnerability that was exploited was the fact that DKIM checks the message and the headers, not the envelope, which meant the email passed the validation checks because it had a valid signature. Since the exact email was extracted and saved without making any modifications to what was signed by DKIM, the validation checks were passed. Further, since the email was sent to a me@ email address, it shows that the message was delivered to the victim’s email address. Google explained in response to a query that it is aware of the phishing attempt and has rolled out protections to prevent further abuse.
The phishing attempt demonstrates the importance of stopping and thinking before clicking on any link in an email, no matter how serious the potential threat. The phishing attempt could have easily led to a compromised Google account had he not stopped to think about the request. Others may not have been as fortunate. While this was the first time that Google is known to have been affected by a DKIM replay attack, it is a known phishing technique and one that can be highly effective.
Security awareness training should make it clear that all emails can potentially contain a threat, even if the sender appears to be legitimate. Phishing lures related to legal threats, police investigations, and subpoenas should be included in the training as these are likely to create the fear that leads to a rapid click, and employees should be told to inspect the message headers to see the sender’s address and told to report any potential threat or suspicious email to their security team. They should also be provided with an easy one-click method of doing so in their email client.
Businesses should also ensure they have advanced anti-spam software with email sandboxing and URL filtering, and have multifactor authentication set up for all email accounts, with phishing-resistant multifactor authentication implemented when possible for the greatest protection.