A new phishing campaign is tricking users into believing they’ve received a subpoena from law enforcement, using emails that appear to come from “[email protected].”
The scam leverages Google’s Sites app to create convincing fake emails and websites, exploiting the trust users place in Google-branded messages.
According to Bleeping Computer and EasyDMARC, attackers managed to bypass DKIM (DomainKeys Identified Mail)—a key email authentication tool—by abusing how Google’s own system processes app names. By inserting the body of the phishing message into the name of a fake app, scammers send a legitimate-looking email through Google’s own infrastructure, allowing it to pass security checks.
The phishing links direct victims to a site hosted on sites.google.com, closely mimicking legitimate Google login pages. The goal: steal account credentials under the guise of a law enforcement alert.
In response, Google has acknowledged the attack, with Gmail Security’s Ross Richendrfer stating that the company has “rolled out protections to shut down this avenue for abuse.” He also urged users to enable two-factor authentication and passkeys to strengthen their defenses.
This incident follows similar attacks on PayPal users via DKIM relay methods and highlights growing concerns over how trusted services can be exploited for phishing.
Developers like Nick Johnson of Ethereum Name Service have flagged the issue to Google, which initially dismissed the abuse as “working as intended” but is now reportedly working on a fix.
