2 weeks Ago By Priya Singh
Google has issued a crucial warning to Gmail users about a new phishing campaign that uses convincing, legitimate-looking emails to bypass security measures and steal account credentials. While Google is working on rolling out additional protections, users are advised to remain cautious, particularly when responding to emails that appear to come from trusted sources like Google. Vigilance is key to avoiding falling victim to this sophisticated scam.
The first thing to note is that this is a valid, signed email - it really was sent from [email protected]. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts.
pic.twitter.com/GxlFR6ccLG — nick.
eth (@nicksdjohnson) April 16, 2025 The phishing attack was exposed when software developer Nick Johnson shared his experience on X, revealing he received an email from "[email protected]" that appeared to be an official communication claiming a subpoena had been issued for his Google account data. ALSO SEE: Mark Zuckerberg Flags Concerns Over Facebook’s Future Amid Shifting Trends: Report The email included a link to what seemed like a legitimate Google support page, but it was actually a phishing site hosted on Google’s own platform, sites.
google.com. The sophisticated attack was able to bypass Google’s authentication checks, including DomainKeys Identified Mail (DKIM), and was cleverly delivered in the same Gmail thread as genuine security alerts.
When users clicked on the phishing link, they were redirected to a cloned Google sign-in page hosted on a Google subdomain. This page tricked users into entering their login credentials, which would then be captured by the attackers. The goal was to steal sensitive login information and gain unauthorized access to users' Gmail accounts and associated data, making the attack particularly dangerous and difficult to spot.
Clicking on "Upload additional documents" or "View case" takes you to a signin page - again an exact duplicate of the real thing; the only hint it's a phish is that it's hosted on https://t.co/tl3ktQkM5X instead of https://t.co/kCLNEQcBQK .
pic.twitter.com/RYCf8LKmTQ — nick.
eth (@nicksdjohnson) April 16, 2025 Google has confirmed that a recent phishing campaign exploited OAuth and DKIM mechanisms in a new way, allowing attackers to bypass security features. The company is rolling out protections to counter this specific threat, with the fix expected to be fully deployed soon. Google has also urged users to enable two-factor authentication and use passkeys to strengthen account security.
This incident underscores the growing sophistication of phishing attempts, with attackers increasingly using legitimate infrastructure, such as Google’s own domains, to make their messages appear trustworthy. Until the update is fully rolled out, Gmail users are advised to avoid clicking on links in unsolicited security alerts and to verify suspicious emails by logging in directly through the official Google website. Enabling two-factor authentication and passkeys will help further secure accounts from credential theft.
.
