A highly convincing phishing scam exploited Google Sites and email authentication protocols to impersonate an original email from Google.
The fraudulent email appeared to originate from Google’s no-reply address (no-reply@google.com), passed security checks, and misled people into believing it was real.
In a series of X posts, a target shared his experience, describing the incident as an “extremely sophisticated phishing attack.”
The phishing link placed in the email redirects users to a Google login page. After logging in, users will be taken to a Google Sites page designed to look like a Google support.
This page, although hosted on Google’s own infrastructure, was created by cybercriminals using the free Google Sites service. The trusted “sites.google.com” subdomain brought credibility to the scam in a way that blinded email security filters.
How the Attack Occurred
A deeper analysis revealed that this was a DKIM Replay Attack.
The attacker initially received a legitimate email from Google, preserved the headers and body without modifying any DKIM-signed content, and resent it from a different email account.
The forged message maintained its DKIM integrity, misleading Gmail’s filters into verifying it as authentic.
The email passed through multiple servers, including Outlook and PrivateEmail via Namecheap, before reaching the recipient’s Gmail inbox, where it appeared as a legitimate Google message.
The attack underscores a growing threat: the weaponization of trusted infrastructure. Phishing scams no longer rely on poor grammar or suspicious links.
When in doubt, never click. Report or consult a cybersecurity professional.
Steps to Take After Being Scammed
Google recently issued a four-step response to anyone who might fall victim to a scam :
- Change your passwords and ensure the scammers haven’t altered your account information.
- Contact your banks and linked accounts to halt any further fraudulent activity and access.
- Increase your security and enable: 2-Step Verification (2SV), passkey, password manager, Gmail spam protections and notifications, Safe Browsing’s Enhanced Protection mode in Chrome and use Sign in with Google to make sure you’re better protected across all of your online accounts.
- Report the crime to your local authorities and government agencies like the FBI or the Cybersecurity Authority in your country.
You can equally put your phishing detection ability to test with Google’s prepared phishing quiz to stay ahead of hackers.
About Author
