Google Spoofed in Sophisticated DKIM Replay Attack Exploiting Email Trust Mechanisms
Ddos 
Image: Easydmarc
What if an email in your inbox looked exactly like it came from Google—passed all authentication checks, had no spelling errors, came from a Google domain, and even discussed a subpoena involving your account? You’d probably panic—and that’s exactly what cybercriminals are counting on.
In a recent detailed breakdown, Gerasim Hovhannisyan, CEO and Co-Founder of EasyDMARC, exposed a sophisticated DKIM Replay Attack that bypasses traditional email security mechanisms. It spoofed Google itself, using a mix of legitimate infrastructure and psychological manipulation.
The attack began with the attacker obtaining a valid email from Google. The key to the attack lies in the abuse of DKIM (DomainKeys Identified Mail), an email authentication method. DKIM adds a digital signature to emails, verifying that they were sent by the claimed domain. In this case, the attacker replayed the valid DKIM signature from the original Google email.
“This attack was a confirmed DKIM Replay Attack where a spoofed message appeared to be from no-reply@accounts.google.com, had passed DKIM and DMARC, and was delivered to a Gmail inbox,” the report states.
The attacker then used an Outlook account to send the spoofed message, relaying it through various systems to obscure its origin. This multi-step relay process included a custom SMTP service and Namecheap’s PrivateEmail, which added another layer of DKIM signing.
“This system acts as a middle relay, distancing the spoof even further from Google,” the report elaborates.
Ultimately, the spoofed email landed in the victim’s Gmail inbox, passing all authentication checks, including SPF, DKIM, and DMARC.
The email itself was designed to deceive, employing a fake subpoena theme to create a sense of urgency and fear. The report emphasizes the effectiveness of this tactic, noting that “fake subpoena emails are especially dangerous because they trigger fear, urgency, and confusion.”
Further compounding the deception, the attackers utilized Google Sites to host a fake support case page, mimicking an official Google communication. This tactic exploited the trust associated with the https://www.google.com/search?q=google.com domain, making it more likely for victims to fall for the scam.
The report includes details on reproducing the attack, outlining the steps taken by the attacker, including registering domains and utilizing Google Workspace. This information provides valuable insights into the attacker’s methodology and can aid in developing more effective defenses.
The report strongly advises users to “always question unexpected emails, especially those urging urgent action or containing links to login pages.”
It also stresses the importance of verifying the legitimacy of emails, even those appearing to come from trusted sources like Google. When in doubt, users should avoid clicking on links or engaging with the email and instead escalate the issue to security professionals.
Donate