Got a weird email from Google? Read this before opening.

Phishing has been a cat-and-mouse game for years now, as tech companies thwart various types of scams only for more to pop up. However, a new phishing email doing the rounds somehow appears to pass Google and Gmail checks.

Developer Nick Johnson revealed on Twitter that he was recently targeted by a complex phishing attack that appeared to originate from Google. Johnson noted that the email was sent from no-reply@accounts.google.com and that it was actually signed by accounts.google.com. He also noted that Gmail didn’t show any warnings in the email.

The email then directs users to a sites.google.com link which turns out to be a fake support page. It’s worth noting that Google Sites is a Google service that allows users to create their own websites. The attackers clearly chose this website to host their fake page as unsuspecting people might think it’s a legitimate Google page. Check out the fake support page below, and note the URL. Clicking the “view case” or “upload additional documents” buttons apparently takes you to a fake sign-in page that’s also hosted on sites.google.com. 

Johnson said this phishing email was made possible by two issues that Google initially refused to fix. For one, he called on Google to disable “scrips and arbitrary embeds” on Google Sites. Johnson also took issue with the attacker’s email, which was signed by accounts.google.com. However, a closer look at the “mailed-by” category in the first image reveals that the email originated from a privateemail.com address. So how was the phishing email signed by Google?

It turns out that the attackers registered a domain and created a Google account associated with it. From here, Johnson said they created a Google OAuth app and used the entire phishing email as the app name. The attackers then give their newly created Google account access to this OAuth app, resulting in a signed security notification email being sent from Google. This message then gets forwarded to victims, resulting in the phishing email seen in the first image.

Johnson submitted a bug report, but Google initially closed it and claimed that this was intended behavior. However, he later reported that Google changed its mind and would now fix this authentication issue.

In any event, this is a very convincing phishing email so you should definitely keep an eye out for any similar attacks. In fact, we previously reported a similar phishing scam late last year, which saw a fake security recovery email being sent to users. This earlier scam also saw attackers spoofing Google email addresses and making calls with Google call IDs to convince victims.