DKIM Replay Attack Exploits Google Infrastructure in Sophisticated Phishing Scheme

A sophisticated phishing campaign used a DKIM replay exploit and Google Sites to spoof legitimate Google emails, prompting urgent scrutiny of Google’s infrastructure.

Cybersecurity threats are growing more advanced, and a recent case illustrates how attackers are now exploiting trusted infrastructure to bypass user defenses. In a detailed thread on X (formerly Twitter), @nicksdjohnson, lead developer of the Ethereum Name Service (ENS), shared how he was targeted by a remarkably convincing phishing campaign that appeared to originate from Google itself.

What sets this campaign apart is its legitimacy at a technical level. The phishing email passed all major authenticity checks—DKIM, SPF, and DMARC—and was delivered without any warnings. Most alarmingly, the email was sent from no-reply@google.com, and Gmail treated it as part of an existing, legitimate thread of security alerts.

Email Header Overview

This is the phishing email as it appeared in Gmail. Notice how it is signed by accounts.google.com and appears authentic to even advanced users.

The Anatomy of the Attack

The attacker’s methodology involved two key vulnerabilities in Google’s infrastructure:

1. Exploiting Google Sites for Phishing Portals

Attackers created a fake “support portal” using sites.google.com, a legacy service allowing users to host custom content under a Google-owned domain. Despite the official-looking URL, the page mimicked Google’s UI and was designed to harvest credentials.

A convincing “support case” dashboard hosted on Google Sites. Even advanced users may not notice this isn’t part of Google’s secure account infrastructure.

Clicking on links like “Upload additional documents” leads to a fake Google login form, also hosted on Google Sites—designed to harvest credentials.

2. Weaponizing OAuth Alerts to Send Signed Emails

This is where the attack becomes technically sophisticated:

A Google account was created with the address me@domain.com.
An OAuth app was created with the full phishing message as the application name.
When Google issued a legitimate OAuth alert to the me@... address, it was signed using Google’s infrastructure.
The attacker forwarded that email to a target—bypassing security checks and preserving Google’s signature.

The phishing message references a “subpoena” and includes an embedded link hosted on Google Sites.

Despite being sent via a third-party relay (fwd.privateemail.com), the email retains Google’s DKIM signature—appearing completely legitimate.

Because the attacker used “me@...” as the account, Gmail shows the alert as being sent “to me,” which is Gmail’s standard shorthand for your own address.

Google’s Response

Despite the severity of the exploit, Google declined to take action. Johnson filed a bug report which was closed with the status “Won’t Fix (Intended Behavior).”

The Takeaway

This incident demonstrates that attackers no longer rely on typos or suspicious links. By using trusted infrastructure and valid signatures, phishing emails are now indistinguishable from legitimate messages—even to experts.

Never rely solely on a message’s domain, authentication status, or visual design to determine legitimacy.
Verify login pages manually—don’t follow embedded links, especially in urgent-sounding emails.
Escalate any suspicious messages to your security team for sandbox analysis.

For a full technical breakdown of this phishing technique, read EasyDMARC’s analysis and view @nicksdjohnson’s thread on X.