In a highly sophisticated phishing campaign, hackers are said to have successfully exploited Google ’s infrastructure to send deceptive emails that appear to come from a legitimate Google address to trick users into handing over their login credentials. The attack, brought to light recently by Nick Johnson, lead developer of the Ethereum Name Service (ENS), involved emails sent from no-reply@google.com that passed DomainKeys Identified Mail (DKIM) authentication -- fooling Gmail into treating them as authentic security alerts.
“These emails are valid, signed, and display no warnings in Gmail,” Johnson said on X (formerly Twitter). “They appear in the same thread as real Google security alerts, making them even more convincing.”
The emails claim to notify recipients of a subpoena involving unspecified content from their Google Account and prompt users to click a sites.google.com link to “examine the case materials” or “submit a protest.” The link leads to a counterfeit Google Support page hosted on Google Sites, where users are asked to either “upload additional documents” or “view [the] case.” These buttons redirect to a near-perfect replica of the Google Account sign-in page—designed to harvest user credentials.
“The only hint it’s a phishing attack is that it’s hosted on 'sites.google.com' instead of 'accounts.google.com'," Johnson noted.
Johnson warned that the realistic design and subtle domain differences make the phishing attempt especially dangerous. “These scams are designed to look as real as possible,” he said. “Users who don’t spot the slightly altered domain could risk identity theft or financial loss.”
Google on hackers 'misusing' its infrastructure
Google confirmed the attack and stated it has since closed the loophole that allowed the abuse. “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,” a Google spokesperson told The Hacker News. “We encourage users to adopt two-factor authentication and passkeys for stronger protection.”
The company reiterated that it never asks for account credentials -- including passwords, one-time codes (OTPs), or confirmation prompts -- via email or phone. Google also advised users to verify the authenticity of any email by opening links manually in a separate browser window. According to Google’s privacy policy, legitimate government requests for account information are accompanied by advance notice—unless legally prohibited.
Cybersecurity experts' safety tips for Gmail users
Cybersecurity experts caution Gmail users, particularly those not using two-factor authentication or passkeys, are at heightened risk. While passwords alone can be compromised, passkeys—hardware-bound login credentials—offer significantly stronger resistance to phishing.
To avoid falling victim, users should be skeptical of emails that use vague greetings, urgent calls to action, or links requesting personal data.
“These emails are valid, signed, and display no warnings in Gmail,” Johnson said on X (formerly Twitter). “They appear in the same thread as real Google security alerts, making them even more convincing.”
That's the thing, though - Google is the true sender of the original email! pic.twitter.com/OqykcGBt9v
— nick.eth (@nicksdjohnson) April 16, 2025
The emails claim to notify recipients of a subpoena involving unspecified content from their Google Account and prompt users to click a sites.google.com link to “examine the case materials” or “submit a protest.” The link leads to a counterfeit Google Support page hosted on Google Sites, where users are asked to either “upload additional documents” or “view [the] case.” These buttons redirect to a near-perfect replica of the Google Account sign-in page—designed to harvest user credentials.
“The only hint it’s a phishing attack is that it’s hosted on 'sites.google.com' instead of 'accounts.google.com'," Johnson noted.
Johnson warned that the realistic design and subtle domain differences make the phishing attempt especially dangerous. “These scams are designed to look as real as possible,” he said. “Users who don’t spot the slightly altered domain could risk identity theft or financial loss.”
Google on hackers 'misusing' its infrastructure
Google confirmed the attack and stated it has since closed the loophole that allowed the abuse. “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,” a Google spokesperson told The Hacker News. “We encourage users to adopt two-factor authentication and passkeys for stronger protection.”
The company reiterated that it never asks for account credentials -- including passwords, one-time codes (OTPs), or confirmation prompts -- via email or phone. Google also advised users to verify the authenticity of any email by opening links manually in a separate browser window. According to Google’s privacy policy, legitimate government requests for account information are accompanied by advance notice—unless legally prohibited.
Cybersecurity experts' safety tips for Gmail users
Cybersecurity experts caution Gmail users, particularly those not using two-factor authentication or passkeys, are at heightened risk. While passwords alone can be compromised, passkeys—hardware-bound login credentials—offer significantly stronger resistance to phishing.
To avoid falling victim, users should be skeptical of emails that use vague greetings, urgent calls to action, or links requesting personal data.
You may also like
Air pollution in US: These 10 major cities are most affected
'Trump chickened out' trending on Chinese social media as China says no tariff negotiation going on with the US
Simon Jordan tells boxing supremo Turki Alalshikh to buy Championship 'powerhouse'
Keir Starmer could be Kemi Badenoch's lifeline thanks to one critical fact
Loose Women star halts show for emotional Freddie Flintoff message
