Cybercriminals have found a way to send fake emails that appear to come from “[email protected]” – a trusted email address that most people would not question. This new phishing attack is highly convincing and has even tricked experienced developers.
Nick Johnson, the lead developer of the Ethereum Name Service (ENS), recently received an email that looked like a real security alert from Google. The message claimed that law enforcement had requested access to his Google account. It looked completely legitimate and passed all email security checks, making it hard to spot as fake.
He also shared more screenshots explaining how this email was actually a phishing attack.
How the Attack Works
This scam is known as a DKIM replay phishing attack. DKIM (DomainKeys Identified Mail) is a method used to verify that an email was truly sent by a trusted source. If an email passes DKIM checks, email services like Gmail usually treat it as safe and not spam. That is what makes this attack so dangerous.
Here’s how the hackers pulled it off:
- They create a Google account using an email address like
[email protected]. - They build a Google OAuth app and set the app’s name to a long message. This message is actually the phishing content, claiming that a subpoena was issued.
- They grant access to this app using their own Google Workspace account.
- When they do this, Google sends a notification email to
[email protected]. The phishing message appears in the notification because Google uses the app name in the body of the email. - The attacker forwards that email to the victim. Since Google originally generated it, the message is signed with Google’s DKIM key and passes all checks.
The message looks like it was sent by Google, but it was actually crafted by the attacker. The trick is that the content is hidden in the email in a way that most people will not notice the unusual parts, unless they scroll all the way down or check the full email headers.
The phishing message shows up as a genuine security alert and appears alongside real alerts in the user’s inbox. The hackers also use Google Sites to host the phishing page. The fake support portal looks exactly like Google’s real login page, but the URL is sites.google.com instead of accounts.google.com.
Johnson said, “The only hint it’s a phish is that it’s hosted on sites.google.com.”
Less technical users are at greater risk because they might not know to check the details, like the URL or email headers.
This attack takes advantage of the fact that Google’s DKIM system checks the email content and headers, but not the envelope, which contains the real delivery details. Since the attacker owns the original email address (like [email protected]), Google thinks everything is normal and sends the alert with its trusted DKIM signature.
This signature fools Gmail and other email clients into believing the message came from “[email protected]” – even though it did not.
This is not the only platform where the trick has been used. A similar scam targeted PayPal users. In that case, attackers abused the “gift address” feature in PayPal. They added a fake message in one of the fields, then had PayPal send a confirmation email to that address. That message was then forwarded to others.
Again, the email passed DKIM checks because it was originally sent by PayPal’s systems.
Nick Johnson reported the issue to Google. At first, the company said the system was working as expected. But later, they acknowledged the flaw and said they were working on a fix to prevent abuse of their OAuth system.
PayPal, on the other hand, has not responded to public reports about the issue.
How to Stay Safe
If you receive an email that looks like a security alert, you need to check the sender’s email address carefully. Always scroll down and read the full message. Never click on links or enter credentials on suspicious pages, especially if the URL does not match Google’s official domains. If in doubt, go directly to your Google or PayPal account through a browser, not through an email link.
This attack proves that even emails from trusted domains can be faked in clever ways. Always stay alert and double-check before taking any action.
