---
title: "Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials | DuoCircle"
description: "Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/"
---

Quick Answer

In April 2025, attackers ran a DKIM replay attack that delivered phishing emails appearing to come from no-reply@google.com with valid DKIM signatures. The technique: register a domain, create a Google account on it, set up an OAuth app whose name contained the entire phishing message, then trigger Google's automated security alert. Because Google generated and signed that alert, it carried a valid DKIM signature. The attacker forwarded the message through Outlook and a custom SMTP relay while preserving the original DKIM signature, so it still showed as Signed by accounts.google.com when it landed in Gmail. The lure was a fake legal subpoena pointing to a cloned Google Support page. Defenses for domain owners: set short DKIM expiration via the x= tag, rotate DKIM keys regularly, oversign critical headers, deploy SPF and DMARC, and monitor DMARC reports for unusual forwarding patterns.

Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/05/Phishers-abuse-Google-sites-and-DKIM-replay-to-send-fake-emails-and-steal-credentials.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fphishing-protection%2Fphishers-exploit-google-sites-dkim-replay-to-steal-login-credentials%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Phishers%20abuse%20Google%20sites%20and%20DKIM%20replay%20to%20send%20fake%20emails%20and%20steal%20credentials&url=undefined%2Fblog%2Fphishing-protection%2Fphishers-exploit-google-sites-dkim-replay-to-steal-login-credentials%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fphishing-protection%2Fphishers-exploit-google-sites-dkim-replay-to-steal-login-credentials%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fphishing-protection%2Fphishers-exploit-google-sites-dkim-replay-to-steal-login-credentials%2F&title=Phishers%20abuse%20Google%20sites%20and%20DKIM%20replay%20to%20send%20fake%20emails%20and%20steal%20credentials "Share on Reddit") [ ](mailto:?subject=Phishers%20abuse%20Google%20sites%20and%20DKIM%20replay%20to%20send%20fake%20emails%20and%20steal%20credentials&body=Check out this article: undefined%2Fblog%2Fphishing-protection%2Fphishers-exploit-google-sites-dkim-replay-to-steal-login-credentials%2F "Share via Email") 

![Phishers abuse google](https://media.mailhop.org/duocircle/images/2025/05/dkim-validation-6764.jpg) 

In a highly sophisticated [phishing attack](https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html), cybercriminals took an uncommon path to allow fraudulent phishing emails to bypass Google’s security filters and redirect recipients to cloned websites, where they were asked to enter their credentials. The emails were sent from **[no-reply@google.com](mailto:no-reply@google.com)** and included valid [DKIM signatures](https://docs.mapp.com/docs/dkim-signature), in short, it was a classic case of [DKIM replay attack](https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/). That’s why they passed email authentication checks and Gmail displayed them without any warnings.

The email message informed the targeted recipients of a subpoena from a **law enforcement authority**, querying about unspecified content in their Google Accounts. The message further urged them to click on a malicious link on the false pretext of examining the case materials or taking measures to submit a protest. 

The [malicious link](https://www.computerweekly.com/news/366544395/Malicious-URL-volumes-soar-as-cyber-criminals-pull-on-Threads) redirected recipients to a cloned, look-alike webpage that impersonated **Google’s actual Support page**. There, the victims were requested to click on a button to upload documents or view the details of the case. 

The tricky part of this attack was that the email showed that it was ‘Signed by’ accounts.google.com, even though it was actually sent from a completely different domain: “**fwd-04-1.fwd.privateemail.com**“.

Here is what the message looked like-

[![attack ](https://media.mailhop.org/duocircle/images/2025/05/spf-record-checker-4433.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-record-checker-4433.jpg)

## The role of DKIM replay in this attack

In this attack, the threat actor cleverly manipulated DKIM authentication to make a phishing email appear fully legitimate.

_The process began with the attacker creating a Google account using a newly registered domain (like me@)_. They then set up a Google OAuth application, naming it in a way that mimicked the entire [phishing message](https://www.nbcbayarea.com/news/tech/meta-warns-phishing-scam/3803795/). After granting their OAuth app access to the Google account they just created, **Google automatically generated** a security alert email to that same account.

Since Google created and sent the alert, the email was signed using Google’s valid DKIM key, meaning it passed all [DKIM](/resources/what-is-dkim), [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), and DMARC authentication checks.

The attacker then forwarded this exact message from an Outlook account but carefully preserved the original DKIM signature. By doing this, the email retained its ‘**Signed by Google’ authenticity**, even though it was now being sent from an unrelated domain.

To further obscure its path, the message was routed through a **custom SMTP service**, eventually relaying through a mail-forwarding infrastructure. By the time it reached the target’s Gmail inbox, it looked like a genuine message from Google, complete with clean authentication results. This significantly increased the chances of the [phishing email](/content/phishing-prevention/phishing-email) bypassing filters and tricking the victim.

[![mail-forwarding](https://media.mailhop.org/duocircle/images/2025/05/spf-record-7766.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-record-7766.jpg)

## What Google says about this

Google has acknowledged and confirmed the attack and has already started taking action to ensure this doesn’t continue to happen. The officials have come forward to explain how they are aware of these kinds of targeted phishing attacks and that they have taken the **appropriate measures** to shut them down.

They have also reiterated that Google never requests sensitive details from users, including [one-time passwords](https://www.scworld.com/perspective/one-time-passwords-the-good-bad-and-how-to-avoid-the-ugly), and neither do they call to ask for such information. **Google prioritizes user security** and encourages people to stay vigilant online. 

As an **added layer of defense**, Google is urging users to enable [two-factor authentication (2FA)](https://www.fortinet.com/resources/cyberglossary/two-factor-authentication) and adopt passkeys, both of which offer stronger protection against phishing attempts like these.

[![two-factor authentication](https://media.mailhop.org/duocircle/images/2025/05/spf-record-check-7766.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-record-check-7766.jpg)

## How can businesses prevent DKIM replay attacks from their domains?

_DKIM replay attacks are very tricky and sophisticated, and with the advent of AI, it’s easier to draft convincing and flawless phishing emails_. If these emails bypass security filters, the chances of a successful phishing attack increase. But businesses can still **prevent their domains** from getting involved in DKIM replay attacks. Here’s how-

### Use DKIM with short-lived signatures

Set a short expiration time (x= tag) in your DKIM signature. Doing so reduces the window for a [threat actor](https://www.techtarget.com/searchsecurity/news/366618294/Threat-actors-abusing-Microsoft-Teams-in-ransomware-attacks) to use a key repeatedly for malicious purposes. So, even if your domain gets involved in a replay attack, it won’t be **dragged for long**.

### Enable SPF and DMARC

If SPF is deployed, emails sent from unauthorized IP addresses are regarded as illegitimate and potentially phishing. That’s why they are either tossed in the [spam folders](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/) or **bounced back to the sender**. 

Now, unless the malicious actor is one of the insider threats, there is a chance their IP address won’t be a part of your [SPF record](/resources/spf-records). Hence, the replayed emails won’t pass **SPF authentication and reach** the targeted recipients’ primary inboxes. Note that it will only work if threat actors send the emails from your domain. 

[DMARC](/resources/what-is-dmarc), on the other hand, works based on SPF and DKIM results and directs receiving mailboxes on handling emails that don’t pass **SPF and/or DKIM checks**. 

### Regularly rotate DKIM keys

If you frequently rotate your [DKIM keys](/email-security/best-practices-to-follow-for-managing-dkim-keys/), then the stolen keys become stale soon. This way, threat actors can’t keep exploiting them for an extended period. Also, ensure that you securely store and manage your keys.

### Restrict third-party senders

If you engage with third-party services to send emails on your behalf, it’s important that you ensure they have proper email authentication protocols in place. Also, make them **follow the best practices** to manage [DKIM keys](/email-security/how-do-you-configure-dkim-keys-for-salesforce/) so that they don’t leave them exposed to misuse. 

[![Third-Party Senders](https://media.mailhop.org/duocircle/images/2025/05/spf-record-tester-7904.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-record-tester-7904.jpg)

### Monitor DMARC reports

**Enable DMARC monitoring** in your [DMARC record](/resources/dmarc-records). _Doing so helps you receive detailed and insightful reports on all the emails sent from your domain. Look for unusual patterns, spikes in forwarded messages, and unidentified IP addresses_. All of these indicate [malicious email attempts](https://www.securitymagazine.com/articles/100687-the-last-six-months-shows-a-341-increase-in-malicious-emails). 

We at [DuoCircle](/) can help you **get started** with [DMARC reporting](/content/dmarc-report) if you haven’t already. So, [contact us](/contact) and see how things work.

## Topics

DKIMDMARCSecurityspf 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Phishing 11m  AI-Generated Phishing Has Eliminated the Typo: Why Traditional Email Filters Are No Longer Enough  Apr 28, 2026 ](/blog/ai-generated-phishing-eliminates-typos-making-traditional-email-filters-ineffective/)[  Phishing 6m  Rise in cybercrime against older adults across the world- the current scenario  Nov 8, 2024 ](/blog/phishing-protection/global-rise-in-cybercrime-targeting-older-adults-current-scenario/)[  Phishing 6m  How Domain Verification Helps Prevent Email Phishing Attacks  Apr 1, 2026 ](/blog/phishing-protection/how-domain-verification-helps-prevent-email-phishing-attacks/)[  Phishing 5m  Threat actors are exploiting Google Calendars for phishing and spoofing attempts  Mar 7, 2025 ](/blog/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials","description":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials.","url":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/","datePublished":"2025-05-06T17:28:23.000Z","dateModified":"2025-05-06T17:29:07.000Z","dateCreated":"2025-05-06T17:28:23.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/"},"articleSection":"phishing-protection","keywords":"DKIM, DMARC, Security, spf","wordCount":930,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/05/dkim-validation-6764.jpg","caption":"Phishers abuse google","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Phishing"},{"@type":"ListItem","position":3,"name":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials","item":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Phishing","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials","item":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials","description":"Phishers abuse Google sites and DKIM replay to send fake emails and steal credentials.","url":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/","datePublished":"2025-05-06T17:28:23.000Z","dateModified":"2025-05-06T17:29:07.000Z","dateCreated":"2025-05-06T17:28:23.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/phishing-protection/phishers-exploit-google-sites-dkim-replay-to-steal-login-credentials/"},"articleSection":"phishing-protection","keywords":"DKIM, DMARC, Security, spf","wordCount":930,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/05/dkim-validation-6764.jpg","caption":"Phishers abuse google","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```