Google DKIM Replay Attack Uses Legitimate Infrastructure for Legal Subpoena Phishing
Attack Overview
Step 1: DKIM-Signed Legal Subpoena Notification
The attacker sends a convincing phishing email impersonating Google Security Alerts with legal investigation themes.
- Email claims a subpoena concerning the recipient's Google Account has been received with specific support reference number.
- Attackers use legitimate, previously DKIM-signed email originally sent by Google.
- Content uses formal legal language and official-sounding case numbers to enhance credibility.
Step 2: Legitimate Google Sites Hosting Bypasses Detection
The phishing lure directs victims to realistic-looking support case pages hosted on Google's legitimate infrastructure.
- Links point to sites.google[.]com domain with specific case URLs that appear authentic.
- Google Sites hosting helps bypass link-based protections and reduces user suspicion.
- Support case page displays "Legal Investigations Support" with case status and documentation review requirements.
Step 3: Credential Harvesting Under Legal Investigation Guise
The final payload redirects to a fake Google login page designed to steal credentials while maintaining the legal investigation narrative.
- Login page branded as "Google Support" with messaging about continuing to access support case.
- Page requests email or phone credentials under the pretense of case access verification.
- Appears identical to a real Google login interface and is hosted on a Google-owned domain to avoid suspicion.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- DKIM replay abuse using previously signed legitimate Google emails that pass authentication checks (DKIM/SPF/DMARC) despite malicious replay.
- Trusted hosting on Google Sites domain helps campaign bypass link-based protections and user suspicion.
- Legitimate branding mimics Google's legal and security communication style with official-sounding case numbers and formal tone.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies for novel attack detection.
- Content analysis and natural language processing recognizing urgency and legal pressure tactics as suspicious indicators.
- Detection of off-pattern message workflows and sender behavior despite legitimate-appearing infrastructure.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.