Full Report
In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from [email protected]," Nick Johnson
Analysis Summary
# Tool/Technique: DKIM Replay Attack via Google OAuth Abuse
## Overview
This technique describes an "extremely sophisticated phishing attack" leveraging a complex sequence involving Google OAuth applications, legitimate Google infrastructure, and email forwarding services to deliver malicious emails that pass all standard recipient-side email authentication checks (SPF, DKIM, DMARC). The payload redirects victims to credential harvesting pages hosted on `sites.google.com`.
## Technical Details
- Type: Technique (Phishing/Email Spoofing)
- Platform: Email Gateways, Gmail, Google Sites
- Capabilities: Bypasses standard email security filters by making spoofed emails appear as legitimate, DKIM-signed messages originating from Google infrastructure.
- First Seen: Information disclosed around late 2024/early 2025 observation period.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied delivery mechanism) or T1566.002 - Spearphishing Link (Actual payload delivery)
- **TA0011 - Command and Control** (Potential C2 via harvested credentials)
- T1071 - Application Layer Protocol
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Via harvested credentials)
## Functionality
### Core Capabilities
- **Email Spoofing Authenticity:** Exploits the trusted status of emails generated by Google's own services (`Security Alert` messages) by signing them with valid DKIM keys.
- **Filter Evasion:** The resulting email passes SPF, DKIM, and DMARC checks at the victim's email client, appearing as a legitimate communication from `@google.com`.
- **Credential Harvesting:** Redirects victims via a `sites.google.com` URL (leveraging Google's trusted subdomain) to a lookalike Google Account sign-in page to harvest credentials.
### Advanced Features
- **DKIM Replay:** The attacker obtains a legitimate, DKIM-signed email (a "Security Alert") by creating a Google account/OAuth app, and then forwards this message through compromised or controlled infrastructure (SMTP services like Jellyfish, PrivateEmail) while preserving the original DKIM signature.
- **Use of Google Sites:** Leverages the legacy allowance for arbitrary scripts and embeds within `sites.google.com` to host the credential harvesting form, making defense/takedown tedious.
- **Recipient Sidelining:** The email appears addressed to the victim's own address (`me@...`), causing Gmail to display only the shorthand "me" at the top, reducing suspicion.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A - Focus is on email delivery]
- Registry Keys: [N/A]
- Network Indicators:
- Malicious link hosted on: `sites.google[.]com`
- Relayed via custom SMTP service: `Jellyfish`
- Forwarding infrastructure mentioned: `privateemail[.]com`
- Behavioral Indicators:
- Emails showing valid DKIM but an unrelated "Mailed by" header (e.g., `"fwd-04-1.fwd.privateemail[.]com"`).
- Emails referencing a subpoena demanding action via a Google Sites link.
## Associated Threat Actors
- Threat actors engaging in this "extremely sophisticated phishing attack." (Specific groups not named in the context provided, but the attack vector is attributed to targeted actors.)
## Detection Methods
- Signature-based detection: Difficult due to the use of legitimate Google infrastructure and valid signatures.
- Behavioral detection: Monitoring for emails displaying a mismatch between the 'Signed by' header (Google) and the 'Mailed by' header (unrelated forwarding domain).
- YARA rules: [Not specified]
## Mitigation Strategies
- **Immediate Fixes (Implemented by Google):** Shutting down the specific abuse pathway enabling the creation/forwarding of these spoofed security alerts.
- **User Hardening:** Adoption of Two-Factor Authentication (2FA) and Passkeys, which provide strong protection even if credentials are phished.
- **Reporting:** (Note: The attacker exploited the lack of an easy abuse reporting mechanism within the Google Sites interface.)
## Related Tools/Techniques
- Phishing campaigns exploiting email routing flaws (e.g., the previously patched Proofpoint misconfiguration).
- Phishing campaigns using SVG attachments to embed malicious HTML/JavaScript.