SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Legacy Google Service Abused in Phishing Attacks

A sophisticated phishing campaign abuses weakness in Google Sites to spoof Google no-reply addresses and bypass protections.
Google Phishing

Threat actors are abusing a weakness in Google Sites to deliver sophisticated phishing emails that bypass email authentication checks.

As part of the campaign, recipients receive email messages that appear to come from a legitimate Google no-reply address, and which redirect them to Google Sites pages that mimic official Google pages.

Two attacks flagged by Ethereum Foundation developer Nick Johnson and EasyDMARC CEO Gerasim Hovhannisyan show that the attackers are abusing vulnerabilities in Google Sites, a legacy service that allows anyone to build custom websites hosted on the sites.google.com domain.

Because the site is hosted under a trusted Google-owned domain, it benefits from the internet giant’s SSL certificates and brand reputation, allowing the attackers to embed deceptive content that passes validation checks and user trust, Hovhannisyan notes.

To mount an attack, the threat actor registers a website and creates an account for it; then they forward a legitimate email received from Google without modifying the content and headers covered by its DKIM signature, to ensure it can bypass protections.

The attack targeting Johnson used an account for me@[attacker domain] and a Google OAuth application that had the entire phishing message as its name, and forwarded a security alert message sent to their ‘me@…’ email address.

“Because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user’s inbox – even in the same thread as legit security alerts,” Johnson explains.

Furthermore, because the account was named ‘me@’ Gmail displayed the message as being sent to ‘me’ as it would typically show when sent to the recipient’s address.

Google was notified of the OAuth security defect abused in these attacks and will address it, after initially dismissing it as ‘Working as Intended’, Johnson says.

Advertisement. Scroll to continue reading.

Related: AI Now Outsmarts Humans in Spear Phishing, Analysis Shows

Related: CRM, Bulk Email Providers Targeted in Crypto Phishing Campaign

Related: Morphing Meerkat Phishing Kits Target Over 100 Brands

Related: Browser Security Under Siege: The Alarming Rise of AI-Powered Phishing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.