Google has rolled out fixes to stop an “extremely sophisticated phishing attack” that exploited its infrastructure to send fake emails. The attack, described as a DKIM replay attack, allowed threat actors to create a valid-looking email signed from [email protected] and redirect recipients to fraudulent sites harvesting their credentials.
The attackers leveraged Google Sites, a legacy product with support for arbitrary scripts and embeds, to build a credential-harvesting site. The fake emails impersonated legitimate security alerts from Google, making it difficult for victims to distinguish between real and fake messages.
Google’s infrastructure was used to relay the phishing emails through various SMTP services before reaching the victim’s inbox. The attack took advantage of the “Signed by” header being set to a valid DKIM key, which bypassed email security filters.
Google has emphasized that it neither asks for account credentials nor directly calls users. Users are advised to adopt two-factor authentication and passkeys to protect against phishing campaigns. This attack follows similar recent attacks that used SVG attachments to trick victims into entering their credentials.
Russian cybersecurity company Kaspersky has observed over 4,100 phishing emails with SVG attachments since the start of 2025. The attackers continue to explore new techniques to circumvent detection, often employing user redirection and text obfuscation.
Source: https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html