Google has issued an important warning to all Gmail users. The warning highlights a new phishing campaign that uses legitimate-looking emails to bypass security checks and trick recipients into handing over their account credentials.
Google has acknowledged the threat and is working to roll out protections. Still, users are urged to stay vigilant, especially when responding to emails that appear to come from trusted sources like Google.
What is this scam?
The attack came to light when software developer Nick Johnson posted on X about receiving an official-looking email from “no-reply@google.com” that claimed a subpoena had been issued for his Google Account data. The email included a link to what appeared to be a legitimate Google support page. In reality, the page was a phishing site hosted on Google’s own platform, sites.google.com.
What made the email particularly convincing was that it passed Google’s authentication checks, including DomainKeys Identified Mail (DKIM). The phishing message was also delivered in the same Gmail conversation thread as real Google security alerts, adding to its perceived legitimacy.
Clicking the link led users to a cloned Google sign-in page hosted on a Google subdomain. The page was designed to harvest login credentials under the guise of allowing the user to protest the subpoena. If entered, those credentials would give attackers full access to the user’s Gmail and associated data.
Google’s response
Google has acknowledged the phishing campaign and confirmed that it exploited OAuth and DKIM mechanisms in a novel way. In a statement, the company said it is “rolling out protections” to stop this specific threat and expects the fix to be “fully deployed” soon. Google is also encouraging users to enable two-factor authentication and adopt passkeys to strengthen account security.
Why is this important for users?
The incident highlights how threat actors are increasingly using legitimate infrastructure, like Google’s own domains, to make phishing attempts harder to detect. Even advanced security features can be bypassed when the source appears trustworthy and familiar.
What Gmail users should do
Until Google’s update is fully rolled out, Gmail users are advised to avoid clicking on links in unsolicited security alerts. Users should verify suspicious emails by logging into their accounts directly through the official Google website. Activating two-factor authentication and passkeys adds a further layer of protection against credential theft.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
