A novel phishing attack mechanism delivers malicious emails that pass the DKIM signature check and are sent from the address (no-reply@google.com). Utilizing a DKIM replay attack, the attackers are able bypass standard email security measures and additionally leverage the perceived credibility of a legitimate Google alert. The email presents the target with a falsified narrative regarding a law enforcement subpoena, and directs them through fake Google support steps to extract their information. Google has since implemented updates to shut down this attack vector.
