Google issues urgent warning to Gmail users about phishing attacks from verified emails, says working on fix

 This phishing attack targeting Gmail users is particularly dangerous due to how credible and authentic it appears, even to tech-savvy individuals. Here’s a breakdown of how the attack works and why it’s so effective:

---

🔍 How the Attack Works

1. Spoofed Email from Verified Address:

   • Attackers send emails that appear to come from a legitimate Google address like no-reply@google.com.

   • These emails pass Google’s security checks, including DKIM (DomainKeys Identified Mail), which is typically used to verify that an email hasn’t been tampered with.

2. Misuse of Google’s Own Services:

   • The phishing links in the emails point to a page hosted on Google’s own platform—sites.google.com—which users generally trust.

   • The link looks legitimate and often mimics a real Google support or security page.

3. Embedding in Legitimate Email Threads:

   • The phishing email appears within existing Gmail threads—such as past genuine alerts from Google—making it seem even more trustworthy.

4. Cloned Sign-in Page:

   • Clicking the link leads to a fake Google sign-in page, hosted on a Google subdomain.

   • It’s visually identical to the real thing and is designed to harvest user credentials.

5. Use of OAuth and DKIM:

   • The attackers cleverly use OAuth tokens and legitimate authentication mechanisms like DKIM to bypass spam filters and user skepticism.

---

🛡️ What Makes This Phishing Attack So Dangerous?

• It passes authentication: The emails are technically “verified” by DKIM and SPF, which makes spam filters less likely to catch them.

• Uses Google’s own infrastructure: Hosting the phishing page on a google.com subdomain makes it much harder for users to spot the scam.

• Blends with real messages: Appearing in existing Gmail threads adds to the illusion of legitimacy.

• Targets your trust: Most people assume an email verified by Google, coming from a familiar address and domain, is safe.

---

✅ What You Can Do to Protect Yourself

1. Enable 2-Step Verification (2FA):

   • Even if your password is stolen, attackers won’t be able to access your account without the second factor.

2. Use Passkeys or Hardware Security Keys:

   • These provide stronger, phishing-resistant authentication than traditional passwords.

3. Inspect URLs Carefully:

   • Even if a domain ends in google.com, subdomains like sites.google.com/suspicious-path can still be dangerous.

4. Don’t Click Suspicious Links in Emails:

   • If you receive a security alert from Google, go directly to your account settings via myaccount.google.com instead of clicking the link.

5. Report Suspicious Emails:

   • Use Gmail’s “Report phishing” feature to help Google improve its detection systems.