New Gmail Phishing Attack Uses Real Google Email to Trick Users

On Monday, April 21, 2025, a phishing campaign targeting Gmail accounts exploited a gap in Google’s authentication systems to harvest user credentials.

Developer Nick Johnson first signaled the attack in a post on X, showing an email styled like an official Google support notice. The message claimed that Johnson’s account data had been released to law enforcement under a subpoena to Google LLC and offered a link to review or contest the case via a “Google Support Case.”

The email appeared to originate from no‑[email protected], passed DomainKeys Identified Mail (DKIM) checks and landed in the same thread as genuine Google alerts. Clicking the link led victims to a sites.google.com URL that mimicked Google’s support portal. Options labeled “Upload additional documents” and “View case” redirected users to a sign‑in form that collected Gmail usernames and passwords.

A closer look at the sign‑in URL reveals sites.google.om, not accounts.google.com, the genuine login endpoint for Google services. The scam leverages the google.com namespace provided free by Google Sites, lowering users’ suspicion when they encounter the familiar domain.

Inspecting the email headers shows the “mailed‑from” address using a privateemail.com domain, despite DKIM passing under no‑reply.google.com. That combination lets the phishing message bypass standard spam filters and appear alongside legitimate notifications.

Google has acknowledged the flaw in its OAuth and DKIM processes and is deploying updates to close the loopholes. The company recommends users reinforce account security by enabling two‑factor authentication and passkeys, verifying link domains before clicking and watching for unusual page layouts or excessive blank space on login screens.