chat
expand_more

Signed by Google, Weaponized by Attackers

DKIM Replay and trusted platforms used to bypass SEGs.

NEW Piotr Thumbnail 1x1 Feb 25

What is the attack?

  • A highly convincing phishing campaign is abusing DKIM replay techniques to bypass security filters and impersonate Google Security Alerts. The attacker uses previously signed DKIM headers to resend legitimate-looking Google emails and lure victims into entering credentials on spoofed Google Support pages hosted on Google Sites:

    • Phishing Lure: Claims of legal subpoenas and urgent access requests tied to Google accounts.

    • Spoofed URLs: sites.google.com/... linking to realistic-looking support case pages.

    • Payload: Redirects to a fake Google login page stealing credentials under the guise of "Google Legal Investigations Support."

Why did it get through?

  • DKIM Replay Abuse: Attackers reuse legitimate emails that were previously DKIM-signed by Google. These emails pass authentication checks (DKIM/SPF/DMARC) despite being replayed by malicious infrastructure.

  • Trusted Hosting (Google Sites): Hosting the phishing page on a Google domain helps the campaign bypass link-based protections and user suspicion.

  • Legitimate Branding: The phishing lure mimics Google’s legal or security communication style with official-sounding case numbers and formal tone.

What is required to solve for this attack?

  • Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

  • Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.