Google has confirmed a sophisticated phishing attack affecting Gmail users globally, following public disclosure by Ethereum developer Nick Johnson. The attacker exploited Google’s legitimate infrastructure, specifically Google Sites, to host malicious pages that closely mimicked official Google services. The phishing emails impersonated Google Security, claiming the user had received a legal subpoena requiring urgent action. The embedded links directed victims to highly convincing replicas of Google’s support portals, prompting users to enter their credentials. These malicious emails passed DKIM authentication, appeared to originate from trusted Google domains, and were not flagged by Gmail’s security systems. Google responded by deactivating the specific attack vector and issued public guidance urging the use of two-factor authentication and passkeys.
Analysis from our experts
This campaign exemplifies a high-risk evolution in credential phishing: the combination of social engineering with abuse of legitimate cloud platforms to bypass detection. By leveraging Google’s own infrastructure, attackers eroded traditional trust boundaries and gained credibility with users and mail filters alike. The passing of DKIM checks and placement within legitimate email threads indicates a mature understanding of authentication mechanisms and message hygiene. The lure, a fake legal subpoena, is tailored to provoke panic and immediate action, increasing the likelihood of success. While Google’s post-incident mitigations are timely, the delayed recognition of the exploit highlights the ongoing challenge of monitoring abuse within trusted ecosystems.
The attack also reinforces the importance of passkeys and phishing-resistant MFA as a baseline defense.
Technically, this is not novel, but operationally, it is precise, targeted and well-executed, demonstrating how adversaries are increasingly adapting to modern security controls rather than bypassing them outright.
Read the full article here.
