This Google phishing email is so convincing, even Gmail didn’t flag it

Phishing attacks aren’t new. But every now and then, one shows up that makes you do a double-take. That’s what happened this week when developer Nick Johnson shared a Google phishing email that somehow slipped past Gmail’s usual warnings.

The email came from no-reply@accounts.google.com and was actually signed by accounts.google.com. In other words, it looked legit. There were no red banners, no sketchy headers, and Gmail didn’t even blink.

The email is linked to a page hosted on Google Sites, a real service Google offers for building websites. The page itself looked like a Google support page, complete with options like “view case” and “upload additional documents.” But click those buttons and you’re sent to a fake Google sign-in page. Also hosted on Google Sites.

So, how did this scam work? According to Johnson’s explanation, the attackers registered a domain and created a Google account linked to it. They then made a custom OAuth app and—this is the clever part—they used the entire phishing message as the app name. Once the app was set up, they gave their Google account access to it, which triggered an actual security email from Google. That legit-looking email was then forwarded to victims, making it look like it came from Google itself.

Johnson flagged two big issues: first, that attackers can use scripts and embeds on Google Sites, and second, that the email appeared signed by Google even though it came from a privateemail.com address. Google initially brushed it off and closed the bug report, calling it “intended behavior.” But after some pressure, they changed their stance and agreed to fix it.

This isn’t the first time attackers have abused Google’s own systems. Late last year, there was another scam involving fake recovery emails and spoofed caller IDs tied to Google.

The post This Google phishing email is so convincing, even Gmail didn’t flag it appeared first on Phandroid.