Gmail Users Targeted in Alarming New Phishing Scam — Even Google Couldn’t Spot It

Gmail users are facing a new and highly deceptive phishing attack that’s so convincing, it even slips past Google’s own security systems.

The scam came to light after Nick Johnson, a software developer and Ethereum enthusiast, shared his experience on X. He received an email from no-reply@google.com, warning that a subpoena had been issued requiring access to his Google account data. The email was authenticated, signed with a valid DKIM signature, and appeared in the same thread as real Google alerts, making it look 100% legitimate.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more. Here’s the email I got: pic.twitter.com/tScmxj3um6

— nick.eth (@nicksdjohnson) April 16, 2025

But here’s the catch: the link inside the email led to a support page hosted on sites.google.com—a platform that lets anyone create and host content using a Google subdomain. The fake page perfectly mimicked Google’s login screen, designed to trick users into handing over their credentials.

What made this attack especially dangerous was the combination of:

• A genuine-looking sender address (no-reply@google.com)
• Valid DKIM and SPF authentication
• Hosting on Google’s own subdomain (sites.google.com)

This isn’t just a phishing email; it’s a masterclass in social engineering, exploiting users’ trust in Google’s infrastructure.

Google has acknowledged the threat and is actively working to close the loopholes. “We’re rolling out protections to shut down this method of abuse,” a spokesperson said. In the meantime, users are urged to:

• Enable two-factor authentication (2FA), preferably using passkeys instead of SMS
• Double-check sender addresses and links, even if they appear to be from Google
• Avoid logging in through links in unsolicited emails
• Use antivirus and firewall protection
• Stay alert, no matter how convincing an email looks

This incident is a stark reminder: if a phishing email can fool even Google’s filters, it can fool anyone.