The Google Phishing Chameleon Does a Next-Level Disguise

Phishing is an ever-evolving art of deception—and the latest campaign demonstrates just how far attackers are willing to go to blend in seamlessly. In an attack marked by sophistication and precision, unknown threat actors have weaponized two powerful tools: Google Sites and DKIM replay abuse. Their phishing emails, disturbingly authentic, arrive in inboxes looking indistinguishable from legitimate Google alerts. No warning banners, no red flags. Even the most security-conscious professionals could be caught off guard.

This is not just phishing. It’s phishing wearing Google’s own badge.

Blending in With the High Spheres

The campaign zeroes in on high-value targets—executives, IT administrators, legal and compliance teams, and account owners with privileged access. These are individuals whose inboxes are likely to hold the keys to sensitive business data: admin rights to critical systems, internal documentation, customer records, and credential sets with elevated permissions.

The logic is simple but effective: the more critical the role, the higher the stakes. By focusing on these individuals, the attackers maximize their chances of accessing the core of an organization’s infrastructure. A single successful phishing attempt in this context could allow attackers to bypass perimeter defenses and pivot deep into internal networks.

The Sticky Speedy Tongue: How the Attack Works

The brilliance of this phishing scheme lies in its abuse of trust mechanisms—specifically DKIM (DomainKeys Identified Mail) signatures. The attackers begin by creating a Google Account using their own domain and setting up an OAuth application named to mimic a Google security alert. When they grant permissions to this app, Google itself generates a real, DKIM-signed security notification email intended for the attacker’s inbox.

Instead of stopping there, the attackers forward this genuine email through services like Outlook and Jellyfish SMTP relays, keeping the original DKIM signature intact. As a result, when the email reaches the target’s inbox, it appears completely legitimate, passing SPF, DKIM, and DMARC checks. In some cases, Gmail even threads the phishing email into the same conversation as authentic Google alerts, further lowering suspicion.

The message contains a link leading to a site hosted on Google Sites, which impersonates the Google Support page. There, victims are encouraged to view a case file or upload documents. Clicking these options redirects the target to a cloned Google Account login page, visually identical to the real one but controlled by the attackers. When victims enter their credentials, the information is immediately harvested, granting the threat actors access to sensitive accounts.

Spotting the Invisible: Defensive Measures

Defending against such a cleverly disguised attack requires moving beyond traditional perimeter checks. Here’s what security teams must implement to mitigate this threat:

• Scrutinize Even Signed Emails: Do not rely solely on DKIM, SPF, or DMARC results as proof of authenticity. Validate the context and content of the message.

• Filter Legacy Google Sites Links: Block or flag links from sites.google.com, especially when used in sensitive communications.

• Block Suspicious Attachments and Scripts: Prevent the execution of unverified ZIP files, SVG files containing embedded code, and unfamiliar script attachments.

• Monitor for DKIM Replay Patterns: Look for duplicate DKIM-signed messages coming from unexpected sources or routes.

• Enforce Two-Factor Authentication and Passkeys: Reduce the damage potential of stolen credentials through strong multifactor authentication.

• Validate Sender Domains Thoroughly: Beyond technical checks, manually inspect sender addresses and look out for subtle mismatches.

• Train Users to Detect Sophisticated Phishing: Equip teams with the awareness to question even emails that “look too real to doubt.” Regular phishing simulations and security awareness sessions are key.

This campaign showcases a worrying trend: attackers are increasingly blending legitimate infrastructure with abuse tactics to sidestep traditional defenses. By exploiting the inherent trust in Google’s systems and the integrity of DKIM signatures, they’ve elevated phishing to a new level of credibility. While Google has responded with fixes and additional protective measures, the core takeaway remains: security cannot depend on automated checks alone. Human judgment, combined with layered defense mechanisms, remains the strongest shield against these evolving threats.

https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html