Phishing attacks are a major vector for cyberthreats on all kinds of businesses, from tiny mom-and-pop operations to massive conglomerations. Now, a new scam has evolved the phishing attack even farther.
With the new tactic, users like you might receive an email that says it’s from “no-reply@google.com” — an email address that appears to be completely legitimate. Once clicked, however, it’ll take over your account.
Here’s how scammers are abusing Google OAuth for this trick, and how you can protect your account, whether it’s a business or personal one.
The Next Evolution in Phishing?
The sneaky scam actually uses Google’s own security tools against it. The scammer was able to pass the DomainKeys Identified Mail (DKIM) authentication method — essentially getting Google’s official stamp of approval.
The trick is called a “DKIM replay phishing attack.” The scammers were able to get past DKIM by registering a domain, creating a Google OAuth app with that domain, entering the entire scam message as the name of their app, and then granting their app access to their email address in Google Workspace, which triggers an automatic Google security alert to that inbox.
This just in! View
the top business tech deals for 2025 👨💻
An example of the impressive new phishing scam. Source: Nick Johnson, via Bleeping Computer
The scammer then forwarded the alert, passing the text of their scam message on to their victim, all while using an email that originated from Google itself.
In this case, the would-be victim was Nick Johnson, lead developer of the Ethereum Name Service (ENS). The email looked official and claimed to be informing him of a subpoena from a law enforcement authority that needed his Google Account information.
How to Spot the Scam
Thankfully, there are two key ways that you can identify this particular phishing attempt if you spot it in the wild — even if those giveaways are small and hard to notice.
First, you’ll want to look at the receipient of the email, using the email details dropdown that appears when you click the down arrow icon at the top of the email within your Gmail account.
The receipient should be your email address. If it’s instead a “me@” domain that’s designed to look like Google, but isn’t actually Google — it’s a phishing attempt.
Second, look at the portal that the email is telling you to visit. If it’s hosted on sites.google.com and not on accounts.google.com, it’s a phishing attempt. This is because the sites.google.com subdomain refers to Google’s free web-building platform, which anyone can get an account on.
PayPal Users Face the Same Problem
This scam isn’t inherent to Google: PayPal dealt with a similar one last month. In both cases, the scam hinges on getting the company itself to originate the message from its mail servers, letting it pass DKIM security checks, before forwarding it to a mailing list that passes it on to the victim.
With Paypal, the way to get the company to create the fraudulent email is to register a new email address under an existing account, since this triggers Paypal to send a confirmation email to that address.
Google has issued a statement about the scam, The Verge reports: According to Gmail Security Communications spokesperson Ross Richendrfer, “We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
While we’re sorry to see that our common phishing protection advice to check the domain of the email sender is no longer reliable, it’s nice to see that two-factor authentication can still help in situations like this. After all, Tech.co’s latest annual study found that a full 98% of senior business leaders in the US can’t correctly identify all the indicators of a phishing email.
