OAuth and DKIM Exploited in Widespread Gmail Phishing Attack
A highly advanced phishing campaign has emerged, targeting Gmail’s massive user base of over 3 billion by leveraging legitimate Google services to evade standard email defenses. The attackers are using OAuth-based applications and exploiting DomainKeys Identified Mail (DKIM) validation techniques to craft messages that mimic genuine Google security alerts—effectively slipping past traditional security filters and even multi-factor authentication (MFA). These phishing messages are cleverly disguised as critical security warnings, such as notices about legal subpoenas or urgent account issues. Because the emails are cryptographically signed and technically legitimate, they land directly in users’ inboxes with no spam or phishing warnings, often appearing in the same conversation thread as real messages from Google. The phishing mechanism directs recipients to fake Google Support pages hosted on sites.google.com —a trusted domain—rather than the legitimate accounts.google.com authentic...