Recently, cybercriminals exploited a vulnerability in Google’s OAuth system to send phishing emails that appeared legitimate by passing DKIM (DomainKeys Identified Mail) verification. The incident came to light when a fraudulent Google security alert was reported. The attack leveraged Google’s infrastructure, directing victims to a convincing fake support portal hosted on a Google-owned domain to steal credentials.

Hackers orchestrated the phishing campaign by exploiting a flaw that allowed malicious emails to bypass DKIM checks and appear authentic. The attack gained attention after Ethereum Name Service (ENS) engineer Nick Johnson received a fake subpoena alert, revealing a major weakness in current email authentication standards.

The attackers sent emails that mimicked legitimate messages from [email protected], successfully passing DKIM verification despite originating from a different sender. This technique, known as a DKIM replay attack, abuses legitimate email headers and Google’s trusted infrastructure to bypass traditional spam filters.

The phishing emails redirected users to a fake support portal hosted on Google’s sites.google.com, which visually replicated Google’s login page. Despite some signs of illegitimacy in the URL, the use of a Google-owned domain made the attack appear more trustworthy.

According to the developer who uncovered the attack, the hackers first registered a custom domain and created a Google account with an address like me@domain. They then built an OAuth app named after the phishing message itself. By granting the app access to their own email, they triggered Google to send a DKIM-signed security alert — delivered straight to their inbox.

This DKIM-authenticated email was then forwarded to potential victims. Since DKIM only validates the message body and headers (not the envelope sender), security systems treated the spoofed message as legitimate. Gmail even displayed it as if it were sent directly to the victim’s own address, masking typical warning signs.

Email security firm EasyDMARC later analyzed and confirmed the use of the DKIM replay technique. Similar tactics have been observed before, such as in a March phishing campaign that targeted PayPal users. In that case, attackers exploited PayPal’s “gift address” system to distribute DKIM-verified phishing emails.

Although PayPal declined to comment, Google initially stood by the functionality as intended. However, after reviewing the incident, the company acknowledged the risk and is now working on a fix to prevent future abuse of its OAuth and DKIM systems.