A new and highly sophisticated phishing campaign is leveraging legitimate Google services, including its email system, Google OAuth, and Google Sites, to deliver fraudulent law enforcement requests that appear almost indistinguishable from genuine Google legal notices.
Security researchers recently uncovered this complex attack methodology, which exploits the inherent trust that users and security tools place in Google’s infrastructure.
Cybercriminals Exploit Google OAuth
The campaign typically begins with an email notification sent from what appears to be Google’s authentic address: [email protected].
The spoofed email informs recipients that Google has supposedly received a law enforcement subpoena requesting access to their account.
Included are realistic details, such as account IDs and support ticket numbers, and a link supposedly leading to further details or an appeals page.
At first glance, both the sender address and the embedded link utilize official-looking Google domains, lulling recipients into a false sense of security.
Upon closer examination, the malicious link-though featuring the google.com domain-redirects victims to a phishing page hosted on sites.google.com, Google’s own website creation platform.
While the platform is legitimate, its subdomain structure and the trust it commands are being leveraged by attackers to evade both user skepticism and standard security filters.
For users not logged into Google, the redirection first prompts an official Google account login, further increasing the attack’s perceived legitimacy.
The phishing page itself convincingly mimics Google’s support interface, complete with branding and support ticket references.
A key technical aspect of the attack lies in its abuse of Google OAuth. After registering a deceptive domain via a provider such as Namecheap, attackers set up a trial Google Workspace environment and create a custom OAuth application.
This application can be configured with arbitrary text for its name-meaning the phishing message itself can be injected into the OAuth notification Google sends when users are prompted to grant the application access.
This OAuth-based notification, once received by the attacker’s domain email, is automatically forwarded-using a rule set up on the domain provider-to targeted victims.
The result is a phishing email that is cryptographically signed by Google and sent from an official address.
Highly Convincing Fake Subpoenas
In a detailed analysis, researchers found that while the From field in such emails is accurate and mimics legitimate Google communications, abnormalities in the To and Mailed-by fields provide subtle clues of forgery.
For instance, the To field might contain a suspicious technical-looking address (e.g., me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net), and the Mailed-by field could reference an unrelated forwarding service.
However, most users-especially when alarmed by perceived legal jeopardy-are unlikely to scrutinize these details.
The phishing page reached via the link encourages victims to download “legal documents” relevant to the fake subpoena.
While the precise nature of these documents remains unclear, researchers suspect they may contain malware or further social engineering traps.
Google has been notified of the campaign and is reportedly working to address the exploited loopholes, particularly within its OAuth process.
However, timelines for a complete mitigation remain unknown. This incident highlights the scalable risk when trusted cloud platforms are used as vectors for abuse.
Security experts emphasize the importance of vigilance, advising users not to panic upon receiving such notices, to carefully inspect message headers, and to avoid clicking on links in unexpected emails-even if they appear to be from trusted domains.
Organizations are also urged to implement advanced security solutions capable of detecting sophisticated phishing tactics that leverage legitimate cloud infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
