A sophisticated phishing campaign has emerged targeting Google users with fraudulent law enforcement data requests, exploiting legitimate Google services to bypass security systems and create highly convincing scams.
The attack utilizes official Google infrastructure, including the company’s OAuth system and sites.google.com domain, to create messages that appear to come directly from Google’s trusted [email protected] address.
The deceptive campaign begins with victims receiving an alarming email claiming that Google has received a subpoena from law enforcement agencies demanding access to their Google account content.
.png
)
The message includes official-looking elements such as support ticket references, account IDs, and links to what appear to be Google support pages.
.webp)
The psychological pressure of potential legal troubles creates immediate panic, increasing the likelihood victims will click without scrutinizing the message.
.webp)
What makes this attack particularly insidious is that the emails genuinely originate from Google’s systems and are digitally signed by accounts.google.com, making them extremely difficult to distinguish from authentic communications.
Kaspersky researchers identified this technique as a novel approach to phishing that exploits trusted infrastructure to deliver malicious content with unprecedented legitimacy.
Kaspersky analysts noted that attackers have implemented a complex technical workflow to execute this campaign.
The process begins with attackers registering a domain that mimics Google’s naming convention (for example, “googl-mail-smtp-out-198-142-125-38-prod.net”), then creating a free email address on this domain. Subsequently, they register a trial version of Google Workspace on the same domain.
“This attack demonstrates remarkable sophistication in abusing trusted systems,” explained Alanna Titterington, a security researcher who documented the campaign.
“By manipulating Google’s own infrastructure against itself, attackers create communications that pass traditional security checks.”
Technical Exploitation Mechanism
The core vulnerability lies in how Google OAuth applications are configured and verified.
.webp)
When registering a web application in the Google OAuth system, attackers exploit the “App Name” field, which allows arbitrary text input.
An examination of the attack reveals that criminals use this field to inject their entire phishing message with malicious links:-
App name *
Any Phishing Email Text Inject Here with phishing URL's, with un
The name of the app asking for consentAfter configuration, Google’s systems automatically send a security alert containing this injected text from the legitimate [email protected] address to the attacker’s registered email.
The attackers then use email forwarding services to redistribute this authenticated Google message to multiple victims.
The forwarded message maintains Google’s digital signature while containing the malicious content.
When users follow the included links, they are directed to legitimate Google authentication pages if not already signed in, further building trust in the process.
Upon authentication, they are redirected to a fraudulent support page hosted on sites.google.com-a legitimate Google domain that hosts user-created content.
Google has acknowledged the vulnerability after Kaspersky’s report and is working on remediation measures for its OAuth system. However, no definitive timeline for the fix has been announced.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
