Gmail Replay Attack: The Clever Phishing Trick That Fooled Google
A legitimate-looking alert, a trusted domain, and a dangerous twist
Why This Matters Now
Cybercriminals have found a new way to exploit Gmail users by manipulating Google's own infrastructure to deliver deceptive, yet convincing phishing attacks. These emails can bypass traditional filters, abuse trusted domains, and potentially compromise everything linked to a Google account-from email to cloud storage to third-party apps. Given that Gmail has over 1.8 billion users globally, this technique represents a wide-reaching and serious threat.
Breaking Down the Attack: How It Works
This phishing campaign was first highlighted by Nick Johnson, lead developer at the Ethereum Name Service (ENS). Nick received what looked like a genuine Google alert: an email warning him of a subpoena demanding access to his account. The email linked to a page hosted on sites.google.com - a subdomain that any Google account holder can use to create public websites. It mimicked the official Google support portal with unnerving accuracy.
The twist? While the email was signed using DKIM (DomainKeys Identified Mail) and appeared to be from no-reply@accounts.google.com, it was actually manipulated using an OAuth trick:
The attackers created a Google account starting with "me@", so the alert would appear addressed to "me."
They registered an OAuth app and named it using the full phishing message content.
Authorizing that app triggered a legitimate Google security warning from no-reply@accounts.google.com.
This warning email was DKIM-signed-verifying it as authentic.
The attackers forwarded this unchanged alert, reusing the valid signature to trick victims.
This is what's known as a replay attack. As long as the email body remains unaltered, the DKIM signature remains valid, even if forwarded later from a malicious source.
The fake Google alert invited users to click links labeled "Upload additional documents" or "View case," redirecting them to a flawless copy of the Google login page designed to steal credentials.
Keeping Your Google Account Safe
Here's how you can reduce the risk of falling for this type of scam:
Avoid clicking links in unexpected or unsolicited emails, especially those claiming to be urgent.
Double-check URLs: A real Google login page will be on accounts.google.com. Phishing sites often hide behind trusted domains like sites.google.com.
Verify suspicious emails through a second channel-like contacting Google support directly.
Review email headers: Learn how to view full headers in Gmail to catch mismatched sender info.
Don't use social logins (like "Sign in with Google") on sites you don't fully trust.
How to Review Email Headers
Review email headers: Learn how to view full headers in Gmail to catch mismatched sender info. Specifically, look for discrepancies between the "From" address (what you see as the sender), the "Return-Path" (where replies are supposed to go), and the "Sender" field (the actual sending server). If these don't align with the purported sender, it could be a sign of a forged email. You can usually view full headers by clicking the three vertical dots next to the "Reply" button in Gmail and selecting "Show original."
How to Review OAuth Apps and Permissions
Visit Google's Security Checkup.
Review third-party apps with account access.
Remove any app you don't recognize or actively use.
Enable 2-Step Verification for added account protection.
Clever Use of a Trusted Domain
One part of this scam that really stands out is the use of sites.google.com to host the phishing page. Google Sites is a legitimate and widely trusted service, which helps the phishing page dodge many content filters. It also makes the link look more believable to non-technical users. The ability for anyone to create a public page using this domain opens the door for repeated abuse, making this method especially difficult to shut down quickly.
Stay Sharp, Stay Skeptical
Now more than ever, it's essential to approach email alerts with caution-even when they seem to come from a familiar sender. With tricks like DKIM replay and OAuth abuse now in the mix, hackers are banking on your trust in Google.
Get your free personal cybersecurity & privacy assessment here.