OAuth and DKIM Exploited in Widespread Gmail Phishing Attack

-


A highly advanced phishing campaign has emerged, targeting Gmail’s massive user base of over 3 billion by leveraging legitimate Google services to evade standard email defenses. The attackers are using OAuth-based applications and exploiting DomainKeys Identified Mail (DKIM) validation techniques to craft messages that mimic genuine Google security alerts—effectively slipping past traditional security filters and even multi-factor authentication (MFA).



These phishing messages are cleverly disguised as critical security warnings, such as notices about legal subpoenas or urgent account issues. Because the emails are cryptographically signed and technically legitimate, they land directly in users’ inboxes with no spam or phishing warnings, often appearing in the same conversation thread as real messages from Google.

The phishing mechanism directs recipients to fake Google Support pages hosted on sites.google.com—a trusted domain—rather than the legitimate accounts.google.com authentication portal. According to Melissa Bischoping, Head of Security Research at Tanium, “This attack utilizes a combination of OAuth app abuse and an inventive DKIM bypass to sidestep defenses that are specifically designed to prevent this type of exploit.”



To defend against such evolving threats, Google recommends users shift toward more robust security measures. One of the most effective is the adoption of passkeys, which are device-bound credentials that rely on biometrics or PINs instead of passwords—making them significantly more resistant to phishing. Other safety tips include activating phishing-resistant security keys, keeping recovery information current, and treating unexpected security alerts with suspicion.

Users are also urged to verify the domain of any Google login prompt—ensuring it’s hosted on accounts.google.com—and to be skeptical of messages with ambiguous greetings or pressure-filled language demanding immediate personal info. These recommendations align with broader industry trends, such as Microsoft’s move to integrate native passkey support as part of its own push for more secure authentication. 

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks

-
Image
  A new Android malware-as-a-service (MaaS) platform named  SuperCard X   can facilitate near-field communication (NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said. The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp...
Read more