A new phishing campaign is exploiting legitimate Google services to trick Gmail users into believing they’ve received a legal subpoena. The email, which appears to come from an official Google address, mimics security alerts and directs users to a seemingly genuine support page. According to a report by Kaspersky, this scam leverages Google Sites and OAuth to create credible-looking phishing messages that are difficult for the average user to detect.
What is this new Gmail scam?
The attack begins with an email that claims Google has received a legal subpoena demanding access to the recipient’s account data. It appears to be sent from no-reply@accounts.google.com, an address used by real Google alerts. The message includes a support ticket number, account ID, and a link that looks like it points to a Google support page. All of these elements are designed to convince the recipient that the email is genuine and urgent.
How this new Gmail scam works
The link in the email leads to a page hosted on sites.google.com, a legitimate Google Sites domain. This is where scammers create a fake Google Support page that mimics the design of official help documents. If the user isn’t already logged in, they are first directed to a real Google login page. After authentication, the victim is taken to the phishing page.
Behind the scenes, scammers registered a domain resembling a Google SMTP server and used it to set up a free Google Workspace trial. They then created a fake web app via Google OAuth, naming it with the full text of the phishing message. When Google sends a security notification about the app, the attackers use domain-level forwarding rules to send this alert—complete with the phishing content and a link—to potential victims. The tactic works because Google’s infrastructure delivers the message from a trusted domain.
Kaspersky researchers believe the attackers’ ultimate goal is to convince users to download malicious files disguised as legal documents. The payload of these files remains unknown, but they likely contain malware.
Tips to stay protected
Don’t panic if you receive emails claiming legal action. Take a moment to inspect the headers, including the “to” and “mailed-by” fields.
Be cautious of websites hosted on sites.google.com, especially when linked from unsolicited messages.
Avoid clicking links in emails, even if they appear to come from trusted domains.
Use reliable security software to detect and block phishing attempts.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
