Summary:
Researchers found that hackers exploited a flaw in Google’s systems to send convincing phishing emails that passed all standard authentication checks. The attackers used Google’s infrastructure to send a fake email, appearing to come from “no-reply@google[.]com,” which passed DomainKeys Identified Mail (DKIM) verification but pointed to a fraudulent login page designed to steal credentials.

The phishing email was directed at Nick Johnson, the Ethereum Name Service (ENS) lead developer. It was a fake security notice from Google, stating it was a law enforcement subpoena notification. The email was convincing in appearance and was batched among true Google alerts, thus being more believable.

What tipped off Johnson was the support portal link, which led to a site hosted on sites[.]google[.]com—a red flag, since official Google login pages use accounts[.]google[.]com. The portal was an exact replica of the real thing, making the scam harder to detect for most users.

Security Officer Comments:
The tricky aspect of the attack was a DKIM replay technique. The attacker had obtained a domain, created a Google account by using the address me@domain, and established a Google OAuth application. The attacker designed a piece of malware as the application name, full of whitespace to conceal Google's automated email footer.

When the attacker granted the app access to their own account, Google generated and signed a legitimate-looking alert. That alert, carrying Google’s DKIM signature, was then forwarded to victims. Because DKIM verifies only the message and headers—not the envelope—it passed all security checks and appeared valid.

The scam was based on Gmail's interface, which displayed the message being sent to “me@” and seemed personalized and legitimate. Cybersecurity company EasyDMARC validated the technique and explained the technical process, labelling it a DKIM replay phishing attack.

A similar scam was seen targeting PayPal users. There, attackers abused the “gift address” feature to insert phishing content. PayPal’s system sent a confirmation email that the attacker redirected to a mailing list of victims. Like with Google, the message passed DKIM checks.

Suggested Corrections:
While PayPal didn’t respond to reports, Google initially dismissed the issue as working as intended. After further review, they acknowledged the risk and are now working on a fix.

Link(s):
https://www.bleepingcomputer.com/ne...-oauth-to-spoof-google-in-dkim-replay-attack/