DKIM Replay Attack Exploits Google Infrastructure in Sophisticated Phishing Scheme

A sophisticated phishing campaign used a DKIM replay exploit and Google Sites to spoof legitimate Google emails, prompting urgent scrutiny of Google’s infrastructure.

 

Cybersecurity threats are growing more advanced, and a recent case illustrates how attackers are now exploiting trusted infrastructure to bypass user defenses. In a detailed thread on X (formerly Twitter), @nicksdjohnson, lead developer of the Ethereum Name Service (ENS), shared how he was targeted by a remarkably convincing phishing campaign that appeared to originate from Google itself.

What sets this campaign apart is its legitimacy at a technical level. The phishing email passed all major authenticity checks—DKIM, SPF, and DMARC—and was delivered without any warnings. Most alarmingly, the email was sent from no-reply@google.com, and Gmail treated it as part of an existing, legitimate thread of security alerts.

Email Header Overview

This is the phishing email as it appeared in Gmail. Notice how it is signed by accounts.google.com and appears authentic to even advanced users.

The Anatomy of the Attack

The attacker’s methodology involved two key vulnerabilities in Google’s infrastructure:

1. Exploiting Google Sites for Phishing Portals

Attackers created a fake “support portal” using sites.google.com, a legacy service allowing users to host custom content under a Google-owned domain. Despite the official-looking URL, the page mimicked Google’s UI and was designed to harvest credentials.

A convincing “support case” dashboard hosted on Google Sites. Even advanced users may not notice this isn’t part of Google’s secure account infrastructure.

Clicking on links like “Upload additional documents” leads to a fake Google login form, also hosted on Google Sites—designed to harvest credentials.

2. Weaponizing OAuth Alerts to Send Signed Emails

This is where the attack becomes technically sophisticated:

  • A Google account was created with the address me@domain.com.
  • An OAuth app was created with the full phishing message as the application name.
  • When Google issued a legitimate OAuth alert to the me@... address, it was signed using Google’s infrastructure.
  • The attacker forwarded that email to a target—bypassing security checks and preserving Google’s signature.

The phishing message references a “subpoena” and includes an embedded link hosted on Google Sites.

Despite being sent via a third-party relay (fwd.privateemail.com), the email retains Google’s DKIM signature—appearing completely legitimate.

Because the attacker used “me@...” as the account, Gmail shows the alert as being sent “to me,” which is Gmail’s standard shorthand for your own address.

Google’s Response

Despite the severity of the exploit, Google declined to take action. Johnson filed a bug report which was closed with the status “Won’t Fix (Intended Behavior).”

The Takeaway

This incident demonstrates that attackers no longer rely on typos or suspicious links. By using trusted infrastructure and valid signatures, phishing emails are now indistinguishable from legitimate messages—even to experts.

  • Never rely solely on a message’s domain, authentication status, or visual design to determine legitimacy.
  • Verify login pages manually—don’t follow embedded links, especially in urgent-sounding emails.
  • Escalate any suspicious messages to your security team for sandbox analysis.

For a full technical breakdown of this phishing technique, read EasyDMARC’s analysis and view @nicksdjohnson’s thread on X.

Customer Stories

See how leading enterprise in-house teams have scaled smarter with Legal.io's high-caliber flex talent.

More from Legal.io


Legal.io Newsletter - September 2, 2022
Legal.io Newsletter - September 2, 2022

Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.

Sep 02, 2022
Read More
Children Born Outside US Can Gain Citizenship Derivatively Through Parents
Children Born Outside US Can Gain Citizenship Derivatively Through Parents

When a child is born outside the United States it seems logical that the child would not be granted automatic US citizenship.

Aug 19, 2015
Read More
Federal Privacy Rights Act Creates Confusion on Children's Data

The APRA integrates children's privacy into broader consumer privacy programs, requiring companies to obtain affirmative consent for transferring minors' sensitive data.

May 28, 2024
Read More
4chan Rejects UK Online Safety Act Fines, Turns to Trump Administration for Support

4chan refuses to pay UK Online Safety Act fines, claiming extraterritorial overreach, and asks the Trump administration to push back against enforcement.

Aug 22, 2025
Read More
Ready to hire?

Schedule a free consultation to discuss your hiring needs.

Free 15-min consultation
Legal.io Platform
5 star reviews
Hiring made smarter

Easy-to-use platform for hiring legal talent, managing spend, and optimizing your panel — plus an average savings of 50%.

Need Immediate Help?

Submit a hiring request and let our experts handle the entire process for you.