Warning for Gmail users! Google’s own tools used in major phishing scam

Google has issued a critical warning to all Gmail users following the discovery of a highly sophisticated phishing campaign that exploits Google’s own systems to trick users into handing over their account credentials. The incident highlights an alarming shift in cybercriminal tactics, using legitimate-looking emails and trusted infrastructure to bypass traditional security checks.

The scam came to light when Nick Johnson, a software developer and prominent user on X (formerly Twitter), shared details of a phishing email he received on 15 April. The message, sent from what appeared to be a legitimate address—no-reply@google.com—even passed Google's stringent authentication checks, including DKIM (DomainKeys Identified Mail). This lent the email an air of authenticity, convincing Johnson and potentially others that it was a genuine communication from Google.

The email falsely claimed that a subpoena had been issued for Johnson’s Google Account data and directed him to a support portal to respond. The link led to a page hosted on sites.google.com, a legitimate Google subdomain, which mimicked Google’s sign-in page. The site was, in fact, a cleverly designed phishing page created to harvest user credentials.

This attack managed to evade detection by exploiting two key vulnerabilities in Google’s infrastructure:

• The ability to host malicious content on sites.google.com, a Google-owned domain.
• The use of an official-looking sender address that passed authentication checks, allowing the phishing message to appear in the same conversation thread as genuine Google security alerts.

Johnson has since reported the issue to Google, which has acknowledged the campaign and confirmed that it involves a novel use of both OAuth and DKIM mechanisms. The company is currently “rolling out protections” to counter the threat, with a full fix expected soon.

How can Gmail users stay safe?

Gmail users are strongly advised to exercise caution. Avoid links in unsolicited emails, even if they appear to come from trusted sources like Google. Instead, users should access their accounts directly via the official website. Activating two-factor authentication (2FA) and passkeys can also provide additional safeguards against credential theft.