A newly uncovered cyberattack has revealed a serious flaw in Google’s OAuth infrastructure, allowing hackers to send phishing emails that successfully passed DKIM (DomainKeys Identified Mail) verification — a security mechanism designed to authenticate email senders and prevent spoofing.
The incident came to light when Ethereum Name Service (ENS) engineer Nick Johnson received a fake subpoena alert that appeared to originate from Google’s no-reply@google.com address. Upon closer examination, it was discovered that the message exploited a vulnerability in Google’s email authentication process. This vulnerability made the phishing attempt appear legitimate, posing a serious risk to recipients and highlighting broader issues in the way email trust standards are enforced.
Hackers orchestrated the campaign by registering custom domains and creating Google accounts associated with them. They developed rogue OAuth applications named after fake security alerts and granted these apps access to their own email addresses. When Google sent security alerts regarding the OAuth apps, the emails were automatically DKIM-signed by Google’s servers, granting them an air of authenticity. Attackers then forwarded these DKIM-verified emails to intended victims. Because DKIM validation only ensures the integrity of the email headers and body, and not the envelope sender, security systems like Gmail treat the forwarded emails as fully legitimate.
The phishing emails directed users to fake Google support portals hosted on sites.google.com, Google’s own domain service, making the scam even harder to detect. Although some discrepancies in the URLs were visible, the use of a trusted domain significantly reduced suspicion among victims.
Cybersecurity firm EasyDMARC analyzed the attack and confirmed that the hackers employed a DKIM replay technique, a method that allows threat actors to reuse authenticated emails for malicious purposes. Similar abuse patterns had previously been observed, notably in a March 2025 phishing campaign where attackers leveraged PayPal’s gift address system to send DKIM-verified phishing messages.
Initially, Google claimed that the behavior was within the system’s intended functionality. However, following security community outcry and additional internal review, the company acknowledged the risk associated with the OAuth-triggered DKIM signing mechanism. Google has committed to deploying a fix aimed at closing the loophole and preventing future exploitation.
This incident underscores the fragility of existing email security frameworks. Despite multiple layers of protection like SPF, DKIM, and DMARC, sophisticated attackers continue to find ways to bypass these standards by exploiting weaknesses in trusted infrastructures. The abuse of platforms such as Google to host phishing content further complicates detection and response efforts.
Experts recommend that users remain cautious, even with emails that pass authentication checks. Careful examination of links, verification of application permissions, and the use of multi-factor authentication are critical steps in protecting personal information. Meanwhile, cybersecurity researchers are urging major tech companies to strengthen email verification methods to better defend against evolving threats like DKIM replay attacks.
As Google moves to implement technical corrections, the broader tech industry faces increasing pressure to update email security protocols and reinforce the defenses that underpin online communication.