How does the phishing ‘no-reply’ email look so ‘convincing’?
Essentially, the phishers register a domain, create a Google account for ‘me@domain’ and then create a Google OAuth application where they enter the phishing message alongside some whitespace and “Google Legal Support.”
Now they grant their OAuth app access to their “me@…” Google account. This generates a “Security Alert” message from Google, sent to their “me@…” email address. Since Google generated the email, it’s signed with a valid DKIM key and passes all the checks — bypassing basic cybersecurity firewalls, digital certificate validation tools, and real-time phishing detection systems.
The scammers then “forward the message to their victims,” and because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user’s inbox — even in the same thread as legit security alerts. This bypass technique challenges many advanced threat protection (ATP) protocols and could lead to third-party legal exposure for affected platforms.
“Because they named their Google account ‘me@’, Gmail shows the message was sent to ‘me’ at the top, which is the shorthand it uses when a message is addressed to your email address — avoiding another indication that might send up red flags,” he resolves — a subtle but serious gap in cloud platform security.
The ‘two vulnerabilities in Google infrastructure’
Johnson explains the “fake portal is fairly straightforward” as users can “host content on a subdomain.” This opens risks related to cloud hosting abuse, digital platform liability, and zero-trust security policy enforcement.
