New Gmail Warning — Do Not Open This Email From Google
Google security alerts used in new Gmail hack.
Update, April 20, 2025: This story, originally published April 19, has been updated with information regarding structural email sender authentication protections, which were seemingly bypassed in this latest Gmail attack campaign.
Protecting your accounts and data is getting harder and more complex, despite the best efforts of security defenders. In the same week that we have seen details of Microsoft introducing strict new email authentication rules on May 5 to protect 500 million Outlook users, and the FBI warning that hackers impersonating the FBI have struck, so both these stories merge as Google confirms that Gmail users are under attack from hackers bypassing its own email authentication protections and leveraging trust in Google infrastructure to launch a dangerous and costly threat. Here’s what you need to know and do.
Beware This Gmail Security Alert — No Matter How Real It Appears
Wouldn’t it be great if account security were straightforward and easy to accomplish? When you get an email from Google, a security alert no less, that passes Google’s own email authentication protections, you’d think it was trustworthy, right? Wrong, very wrong indeed, at least for now.
An April 16 posting on the X social media platform, first alerted us to the threat that exploits trust in Google’s own protections and platforms to execute a sophisticated hack attack. That post explained how the user, a software developer called Nick Johnson, had received a security alert email from Google informing them that a “subpoena was served on Google LLC requiring us to produce a copy of your Google Account content.” The emails went on to state that Johnson could examine the details or “take measures to submit a protest,” by following the included link to a Google support page. OK, so it’s a phishing email, nothing unusual about that, right? Wrong again. Not only did this threat come in an email that was validated and signed by Google itself, it was sent from a “no-reply@google.com.” address, and passed the strict DomainKeys Identified Mail authentication checks that Gmail employs, it was sorted by Gmail into “the same conversation as other, legitimate security alerts,” Johnson said.
This legitimacy is continued if you were to follow the link to the Google support page, a nefarious clone, of course, but one that is hosted on sites.google.com. Get as far as wanting to look at the documentation or upload a protest and, once again, the Google account credentials page is a perfect clone and hosted at sites.google.com which adds the trust of the google.com domain. You’d have to be pretty clued up to notice it wasn’t the genuine accounts.google.com where such logins actually happen.
If you fall into the trap, you can wave access to your Google account goodbye, and the hackers will say hello to your Gmail account and all the data that it contains.
What Is DomainKeys Identified Mail And How Does It Work With Gmail?
Google implemented a strict email bulk sender authentication compliance requirement for Gmail messages starting April 1, 2024. This was meant to prevent unscrupulous spammers from being able to send unauthenticated email that could come complete with a nefarious payload. Microsoft is about to introduce the same for Outlook.com users from May 5. This is where DomainKeys Identified Mail comes in, along with Domain-based Message Authentication, Reporting & Conformance and the Sender Policy Framework.
The DMARC, DKIM and SPF trilogy adds confidence for users that the email they are looking at is from a genuine sender, and not someone impersonating a brand or domain. Or, at least, that’s the idea – as this latest attack has shown, however, attackers are clever and tend to find any chinks in the protective armour as they did with the Gmail implementation. That doesn’t mean you shouldn’t authenticate, though; you really should.
Before starting with DMARC, you need to check out SPF and DKIM.
SPF enables your mail server to determine if an email claiming to be from a specific domain is authorized by that domain admin, as per the Domain Name System record. DKIM, meanwhile, uses a text string hash value header attached to email messages, encrypted with a private key, to ensure domain spoofing is far from simple. It is DMARC which then checks the SPF and DKIM authentication records are a proper match and determines what happens to the email in question. This determination can be for it to land in the inbox, spam folder, or get bounced back from whence it came.
When configuring your DMARC settings, it’s important to note the p= tag in the txt field as this instructs the mail server in receipt of the email whether a failure should be sent to the spam folder (p=quarantine) or bounced (p=reject).
Google Promises To Shut Down Gmail Attack With New Update
The good news is that Google has said that it is rolling out protections to counter the specific attacks from the threat actor concerned. “These protections will soon be fully deployed,” a spokesperson said, “which will shut down this avenue for abuse.” In the meantime, Google advised users to enable 2FA protections and switch to using passkeys for Gmail to provide “strong protection against these kinds of phishing campaigns.”
Explaining that the attack email leveraged an OAuth application combined with a creative DKIM workaround to bypass the types of safeguards meant to protect against this exact type of phishing attempt, Melissa Bischoping, head of security research at Tanium, warned that “while some components of this attack are new – and have been addressed by Google – attacks leveraging trusted business services and utilities are not one-off or novel incidents.”
Moving forward, Gmail users should still be alert to the danger of genuine-looking emails and alerts that purport to be from legitimate sources, even if that source is Google itself. Awareness training should evolve with the threat landscape, addressing both new and persistently effective techniques, Bischoping said. “As always,” Bischoping concluded, “robust multi-factor authentication is essential because credential theft and abuse will continue to be an attractive target.”