A new phishing campaign is alarming cybersecurity experts because it exploits Google’s trusted infrastructure.
Nick Johnson, founder of Ethereum Name Service (ENS), alerted users on X about the scam, which successfully bypasses standard email security measures. The attackers have created deceptive emails that resemble genuine Google alerts, even passing authentication checks like DKIM. These fraudulent messages claim that a recipient’s data is under subpoena by law enforcement, making it difficult for users to distinguish them from real security notices.
Victims are lured into clicking a link to “view case materials or protest,” which redirects them to a Google Sites page — a platform often used for building web pages on Google subdomains. This tactic leverages the appearance of authenticity by using Google’s branding and domain to gain user trust. Johnson believes the goal is to steal login credentials, though he refrained from proceeding further into the trap.
According to a recent April 11 report by cybersecurity firm EasyDMARC, the phishing method hinges on the misuse of Google’s services, including Google Sites and OAuth applications. Attackers can freely assign deceptive names to these apps and use a third-party service like Namecheap to send emails with misleading addresses, such as “[email protected],” while setting an arbitrary reply-to email.
The malicious email appears authentic because DKIM validates the message content and headers, but does not validate the actual envelope sender. This allows the phishing email to slip past Gmail’s security layers and into a user’s inbox, even nesting within genuine Google alert threads.
Security experts urge users to remain vigilant, inspect sender details thoroughly, and avoid clicking links from suspicious alerts, regardless of how legitimate they appear.
The incident emerged just as North Korean-linked fraudulent tech workers reportedly expanded their infiltration efforts beyond the United States. According to a separate April 2 report by Google’s Threat Intelligence Group (GTIG), these operatives began targeting blockchain firms in the United Kingdom and Europe.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
