New Replay Attack Puts Gmail Users At Risk Of Credential Theft

A clever phishing attack is targeting Gmail users by exploiting a flaw in Google’s infrastructure, allowing cybercriminals to create fraudulent emails that appear to come from Google. The attack involves a carefully crafted email about a subpoena allegedly issued by law enforcement, directing victims to a phishing site hosted on Google Sites. The phishing site mimics Google’s official support portal, tricking users into entering their Google credentials, which can then be used for identity theft and unauthorized access to Google services.

Severity Level: High

THREAT OVERVIEW:

1. Attack Mechanism
   • The attackers craft emails that appear to be official notifications from Google, claiming a subpoena was issued by law enforcement to access the victim’s Google account data. These emails include a URL that leads to a page hosted on Google Sites, mimicking an official Google support page. The pages hosted on Google Sites appear legitimate to users and bypass several security measures, such as DKIM (DomainKeys Identified Mail), which authenticates email senders.
2. Phishing Site
   • The phishing site hosted on Google Sites closely resembles Google’s official sign-in page. This mimicry, combined with the trust users place in Google’s domain, makes it more likely that users will fall for the scam. The attackers use Google’s infrastructure to gain user trust, which further complicates detection.
3. Target and Impact
   • The primary target of this attack is Gmail users, who are lured into believing their account is under threat. Once victims enter their login credentials on the fake sign-in page, their Google account credentials are stolen. This grants attackers access to core Google services (e.g., Gmail, Google Drive, Google Photos, Google Calendar) and any third-party services linked to the victim’s Google account, potentially leading to severe identity theft and unauthorized access to sensitive data.
4. Exploited Vulnerability
   • The attack exploits a vulnerability in the DKIM email authentication protocol. In this case, attackers use a replay attack, where a previously legitimate DKIM-signed email is resent with malicious content. As long as the body of the message remains unchanged, the DKIM signature remains valid, allowing the phishing email to bypass security filters and reach the victim’s inbox without raising suspicion.

Recommendations:

1. Advise users never to click on links in unsolicited or unexpected emails, especially those urging them to “verify” or “update” account details. Instead, users should manually navigate to trusted websites by typing the URL into the browser.
2. Instruct users to carefully inspect the email headers to identify any discrepancies in the sender’s address. Official emails from Google should come from accounts.google.com, not other domains or unusual variations.
3. Enforce the use of MFA for all Gmail and Google account users.
4. Advise administrators to review and disable any unrecognized or unnecessary OAuth applications connected to Google accounts. Restricting OAuth access to trusted apps reduces the likelihood of attackers using phishing techniques to gain app access.
5. Encourage users to report suspicious emails directly to Google’s security team.
6. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/e0c1deb673f477cbe5b9176e2cd2048d1db078e009ec8b7bf0d2e05f1a80fa5f/iocs

Source:

• https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack
• https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.