Google Confirms Gmail Update—How To Keep Your Email Account
This is the warning that really matters.
Update: Republished on April 23 with a new threat to Microsoft accounts as well.
Google has confirmed a new Gmail update but with a warning for 3 billion users. Take heed. Because this is how you keep your email account. If you fail to follow this advice, you could find yourself losing access to your account and all your content.
Google is rightly frustrated. The latest attack on a Gmail user, which has somehow become a major threat despite it happening to a small number of users, is distracting attention from its much more important warning. The danger is that the advice is drowned out by the noise as countless articles delve into how a fake email was sent in such a way that it appeared to come from Google itself.
The optics of millions of users checking their autosent Google emails is painful. So first the basics. No, you are not about to receive a flood of fake emails from no-reply@google.com or any other authenticated Google email address. Such attacks are targeted and very rare. That’s why they generate so many headlines in the first place.
You will receive a flood of malicious phishing emails though, despite Google’s assurance that its defenses now filter out 99% of these. And you do need to change your account settings to ensure you add a passkey and that you don’t rely on SMS two-factor authentication. This is being phased out, but you should move faster and change today.
More importantly, these sophisticated attacks on Gmail users that pretend to be from Google all rely on two false premises: that Google’s support staff may reach out to you by email, phone or message; and if you ever do receive an email or message relating to an account issue, that Google may “ask for any of your account credentials — including your password, one-time passwords [or] confirm push notifications.” The same is true of the company sending links to pages where you enter your credentials — it will not.
Last time there was this furor over a similar attack, Google asked me to “reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.” And it has reissued that warning in the wake of this latest attack. But the danger is this simple advice is drowned out by the technicalities of 0Auth and DKIM (DomainKeys Identified Mail) checks to authenticate senders, including Google itself.
None of this takes anything away from the awkward optics of this latest attack or Google’s exposed vulnerabilities — albeit these have been patched just as others were patched in January, when a similarly sophisticated hack made headlines. At that time, Google said it was “hardening our defenses” to stop a repeat, just as now it’s telling users “we have rolled out protections to shut down this avenue for abuse.”
Clearly as one door shuts, attackers will find another. And so it’s even more critical that all Gmail users go back to basics. Set up a passkey and a stronger form of 2FA than SMS, given you still need a password as backup access for your account. And remember, any proactive support contact from Google (or Microsoft or Apple or Samsung or any other big tech company) is a scam. If you have any doubt, hang up the call or ignore the emails and reach out to the company using normal, publicly available channels.
And that advice isn’t specific to your Google and Gmail accounts. A new report from Volexity has just warned that “recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.”
The security firm says it has been tracking the attacks since month, and attributes them to “multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights.” The hackers lure victims by impersonating officials from various European nations,” rather than big tech support desks.
In this instance, an attacker “contacts the victim via a messaging application (Signal, WhatsApp) and invites them to join a video call to discuss the conflict in Ukraine. Once the victim has responded, the attacker sends an 0Auth phishing URL that they claim is required to join the video call. The victim is asked to return the Microsoft-generated OAuth code back to the attacker.” This is the copy and paste trick. “If the victim shares the OAuth code, the attacker is then able to generate an access token that ultimately allows access the victim’s M365 account.”
This is an OAuth phishing lure, leveraging trusted app login workflows, and is yet another illustration as to why you not only need hardware-linked accreditation but also must never share codes or browser URLs in dialog boxes opened via links. Instructions to copy and paste codes or strings of text are dangerous, just as with ClickFix attacks. If you ever see such an instruction, it’s an attack. It really is that simple. Avoid this and you get to keep your Microsodft account as well as your Gmail account.