Google has issued an urgent warning to its 1.8 billion Gmail users after confirming a highly sophisticated phishing campaign that successfully bypassed security checks by exploiting Google’s own infrastructure. The attack, first flagged by a developer in the cryptocurrency space, targeted user credentials using a Google-signed phishing email and spoofed support portals hosted on Google Sites.
Ethereum Developer Uncovers Google-Signed Phishing Email Spoofing a Subpoena
Nick Johnson, a developer for the Ethereum Name Service (ENS), reported the incident after receiving a fraudulent email appearing to originate from Google. The email falsely claimed that his account had been served with a legal subpoena and that immediate action was required.
The email passed all standard authentication checks, including DKIM (DomainKeys Identified Mail), which is designed to verify the legitimacy of the sender.
“The only hint it’s a phish is that it’s hosted on sites.google.com instead of accounts.google.com,” Johnson noted.
When clicked, the embedded links directed him to a fake support portal mimicking Google’s design. Johnson described both the “Upload additional documents” and “View case” links as exact duplicates of Google’s legitimate pages. These fake pages requested account login credentials—presumably to steal user information.
Attack Exploited Google Sites and DKIM to Appear Authentic
The phishing email was carefully crafted to evade Gmail’s warning mechanisms. It:
- Used Google Sites to host spoofed support pages.
- Passed DKIM signature checks, ensuring the message appeared authentic.
- Was placed by Gmail in the same thread as legitimate security alerts.
This made the phishing message look completely genuine, increasing the likelihood of users falling for the scam.
Johnson explained that once credentials are entered, attackers could immediately use them—especially if only a password and two-factor code are required—to gain access to the victim’s account.
Google Confirms Attack Vector and Deploys Mitigations
In a statement, Google acknowledged the phishing campaign:
“We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.”
Google also stated it had disabled the mechanism that enabled this method of attack. The company emphasized that it does not request passwords, one-time codes, or any personal credentials via unsolicited messages.
Google reiterated standard security advice for users:
- Enable two-factor authentication (2FA)
- Use passkeys instead of passwords
A passkey is a system-generated login credential that works only on a user’s device. It cannot be guessed, stolen, or phished and provides strong resistance against this type of attack.
Why Google Sites Was Chosen to Execute the Scam
Attackers intentionally used sites.google.com for hosting the fake portals to exploit user trust in Google’s domain. Johnson noted:
“They know people will see the domain is google.com and assume it’s legit.”
Because the phishing email mimicked a legal request for account data, users may find it difficult to distinguish from a legitimate subpoena notification. However, Google’s policy states that while users are typically notified about law enforcement requests, some notifications may be delayed due to legal restrictions.
How Enterprises Can Recognize and Avoid Similar Attacks
Phishing attacks like this one are designed to look urgent and legitimate. Common red flags include:
- Generic greetings
- Claims of legal or account issues needing urgent action
- Links to external login pages
Google recommends never clicking links directly from emails requesting sensitive information. Instead, users should open a new browser window and manually navigate to the service’s site.
The company recently published updated guidance on spotting phishing attempts, reaffirming:
“Google will never send unsolicited messages asking for your password or other personal information.”
