Protecting your accounts and data is getting harder and more complex, despite the best efforts of security defenders. In the same week that we have seen details of Microsoft introducing strict new email authentication rules on May 5 to protect 500 million Outlook users, and the FBI warning that hackers impersonating the FBI have struck, so both these stories merge as Google confirms that Gmail users are under attack from hackers bypassing its own email authentication protections and leveraging trust in Google infrastructure to launch a dangerous and costly threat.

Beware This Gmail Security Alert — No Matter How Real It Appears

When you get an email from Google, a security alert no less, that passes Google’s own email authentication protections, you’d think it was trustworthy, right? Wrong, very wrong indeed, at least for now. An April 16 posting on the X social media platform, first alerted us to the threat that exploits trust in Google’s own protections and platforms to execute a sophisticated hack attack.

An email was sent from a “no-reply@google.com.” address, and passed the strict DomainKeys Identified Mail authentication checks that Gmail employs. It was sorted by Gmail into “the same conversation as other, legitimate security alerts,” said Nick Johnson, who received the email. The email stated it was an update regarding a Google account activity, but in reality, it contained malicious links and attachments.

Gmail Hackers Can Buy Phishing Kits For $25

Although this particular Gmail attack can rightly be described as being sophisticated and complex, because it employed a method of bypassing the protections already put in place by Google to prevent brand impersonation of the domains sending authenticated emails to potential victims, the same cannot be said of all phishing campaigns. Indeed, many follow a tried and trusted template approach and don’t require anything beyond a fundamental understanding of technology.

NordVPN security experts have revealed that phishing kits are available for as little as $25 in dark web forums and Telegram groups operated by cybercriminals. These kits enable even the least technical attackers to carry out professional-looking scams, warned Adrianus Warmenhoven, a cybersecurity expert with NordVPN.

“With features like drag-and-drop website builders, email templates, and even contact lists,” Warmenhoven said, “these kits lower the barrier to entry, so we’re seeing a surge in the number and variety of attacks.”

Google Promises To Shut Down Gmail Attack With New Update

The good news is that Google has said that it is rolling out protections to counter the specific attacks from the threat actor concerned. “These protections will soon be fully deployed,” a spokesperson said, “which will shut down this avenue for abuse.” In the meantime, Google advised users to enable 2FA protections and switch to using passkeys for Gmail to provide “strong protection against these kinds of phishing campaigns."

Melissa Bischoping, head of security research at Tanium, warned that while some components of this attack are new – and have been addressed by Google – attacks leveraging trusted business services and utilities are not one-off or novel incidents. Moving forward, Gmail users should still be alert to the danger of genuine-looking emails and alerts that purport to be from legitimate sources, even if that source is Google itself.

“As always,” Bischoping concluded, "robust multi-factor authentication is essential because credential theft and abuse will continue to be an attractive target.”