Google security alerts used in new Gmail hack.
dpa/picture alliance via Getty ImagesUpdate, April 21, 2025: This story, originally published April 19, has been updated with new information regarding the sale of phishing kits and further details of structural email sender authentication protections, which were seemingly bypassed in this latest Gmail attack campaign.
Protecting your accounts and data is getting harder and more complex, despite the best efforts of security defenders. In the same week that we have seen details of Microsoft introducing strict new email authentication rules on May 5 to protect 500 million Outlook users, and the FBI warning that hackers impersonating the FBI have struck, so both these stories merge as Google confirms that Gmail users are under attack from hackers bypassing its own email authentication protections and leveraging trust in Google infrastructure to launch a dangerous and costly threat. Here’s what you need to know and do.
Beware This Gmail Security Alert — No Matter How Real It AppearsWouldn’t it be great if account security were straightforward and easy to accomplish? When you get an email from Google, a security alert no less, that passes Google’s own email authentication protections, you’d think it was trustworthy, right? Wrong, very wrong indeed, at least for now.
An April 16 posting on the X social media platform first alerted us to the threat that exploits trust in Google’s own protections and platforms to execute a sophisticated hack attack. That post explained how the user, a software developer called Nick Johnson, had received a security alert email from Google informing them that a “subpoena was served on Google LLC requiring us to produce a copy of your Google Account content.” The emails went on to state that Johnson could examine the details or “take measures to submit a protest,” by following the included link to a Google support page. OK, so it’s a phishing email, nothing unusual about that, right? Wrong again. Not only did this threat come in an email that was validated and signed by Google itself, it was sent from a “no-reply@google.com” address, it passed the strict DomainKeys Identified Mail authentication checks that Gmail employs, and it was sorted by Gmail into “the same conversation as other, legitimate security alerts,” Johnson said.
This legitimacy is continued if you were to follow the link to the Google support page, a nefarious clone, of course, but one that is hosted on sites.google.com. Get as far as wanting to look at the documentation or upload a protest and, once again, the Google account credentials page is a perfect clone and hosted at sites.google.com, which adds the trust of the google.com domain. You’d have to be pretty clued up to notice it wasn’t the genuine accounts.google.com where such logins actually happen.
If you fall into the trap, you can wave access to your Google account goodbye, and the hackers will say hello to your Gmail account and all the data it contains.
What Is DomainKeys Identified Mail And How Does It Work With Gmail?Google implemented a strict email bulk sender authentication compliance requirement for Gmail messages starting April 1, 2024. This was meant to prevent unscrupulous spammers from being able to send unauthenticated email that could come complete with a nefarious payload. Microsoft is about to introduce the same for Outlook.com users from May 5. This is where DomainKeys Identified Mail comes in, along with Domain-based Message Authentication, Reporting & Conformance and the Sender Policy Framework.
The DMARC, DKIM and SPF trilogy adds confidence for users that the email they are looking at is from a genuine sender and not someone impersonating a brand or domain. Or, at least, that’s the idea — this latest attack has shown, however, that attackers are clever and tend to find any chinks in the protective armor as they did with the Gmail implementation. That doesn’t mean you shouldn’t authenticate, though; you really should.
Before starting with DMARC, you need to check out SPF and DKIM.
SPF enables your mail server to determine if an email claiming to be from a specific domain is authorized by that domain admin, as per the Domain Name System record. DKIM, meanwhile, uses a text string hash value header attached to email messages, encrypted with a private key, to ensure domain spoofing is far from simple. DMARC then checks that the SPF and DKIM authentication records are a proper match and determines what happens to the email in question. This determination can be for it to land in the inbox, spam folder or get bounced back from whence it came.
When configuring your DMARC settings, it’s important to note the p= tag in the txt field as this instructs the mail server in receipt of the email whether a failure should be sent to the spam folder (p=quarantine) or bounced (p=reject).
Gmail Hackers Can Buy Phishing Kits For $25Although this particular Gmail attack can rightly be described as being sophisticated and complex, because it employed a method of bypassing the protections already put in place by Google to prevent brand impersonation of the domains sending authenticated emails to potential victims, the same cannot be said of all phishing campaigns. Indeed, many follow a tried-and-trusted template approach and don’t require anything beyond a fundamental understanding of technology. Not all cybercriminals are elite hackers; the vast majority are quite happy taking the straightforward approach of buying a ready-made phishing kit to do the attack donkey work for them.
Adrianus Warmenhoven, a cybersecurity expert with NordVPN, has now confirmed in an email that these phishing kits are available for as little as $25, and sometimes even less, in dark web forums and Telegram groups operated by cybercriminals. “With features like drag-and-drop website builders, email templates, and even contact lists,” Warmenhoven warned, “these kits enable even the least technical attackers to carry out professional-looking scams.”
Although the precise features of any phishing kit will vary and be dependent upon the cost of the kit in question, NordVPN security experts have said that the key elements are as follows:
• Phishing kits can contain web code for fake sites that clone real-life platforms. While some of
these will be one-page wonders, others can include multiple pages to make the site more believable.
• Phishing kits can contain malicious scripts that automatically transfer data sent to the cloned
website back to a server operated by the hacker.
• Phishing kits can contain data exfiltration tools that enable the hacker to access the data from
the website in question.
• Phishing kits can contain geoblockers and redirection protocols to limit traffic heading to the
site so as to evade detection for as long as possible.
• Phishing kits can contain drag-and-drop website builders for more advanced users to create
customized clone sites without any web-coding experience being required.
• Phishing kits can contain email templates, customized for the platform being targeted, to
accompany the cloned website itself.
• Phishing kits can contain bundled contact lists with selected email and telephone details of
potential targets.
Warmenhoven warned that NordVPN’s research has revealed Google, Facebook and Microsoft to be the most commonly impersonated brands in phishing attacks, with 85,000 fake URLs imitating Google discovered in 2024. “Phishing kits and Phishing-as-a-Service platforms lower the barrier to entry, so we’re seeing a surge in the number and variety of attacks,” Warmenhoven said, “and that means consumers need to be more alert than ever.”
Read my recent report on one of the most evolved phishing kits, Tycoon 2FA, which is capable of bypassing Gmail 2FA protections and stealing account passwords to get a better understanding of the real-world threat such tools pose and how to mitigate them.
Google Promises To Shut Down Gmail Attack With New UpdateThe good news is that Google has said that it is rolling out protections to counter the specific attacks from the threat actor concerned. “These protections will soon be fully deployed,” a spokesperson said, “which will shut down this avenue for abuse.” In the meantime, Google advised users to enable 2FA protections and switch to using passkeys for Gmail to provide “strong protection against these kinds of phishing campaigns."
Explaining that the attack email leveraged an OAuth application combined with a creative DKIM workaround to bypass the types of safeguards meant to protect against this exact type of phishing attempt, Melissa Bischoping, head of security research at Tanium, warned that “while some components of this attack are new – and have been addressed by Google – attacks leveraging trusted business services and utilities are not one-off or novel incidents.”
Moving forward, Gmail users should still be alert to the danger of genuine-looking emails and alerts that purport to be from legitimate sources, even if that source is Google itself. Awareness training should evolve with the threat landscape, addressing both new and persistently effective techniques, Bischoping said. “As always,” Bischoping concluded, "robust multi-factor authentication is essential because credential theft and abuse will continue to be an attractive target.”
source
