A highly sophisticated phishing attack has been discovered in which cybercriminals used Google Sites and DKIM replay techniques to send valid-signed phishing emails that bypass traditional spam filters and lead to large-scale credential theft.
How the Google Sites and DKIM Replay Phishing Attack Works
Cybersecurity researchers have identified a new wave of phishing attacks that exploited a vulnerability in how DomainKeys Identified Mail (DKIM) is implemented. In these cases, attackers replayed previously signed legitimate DKIM emails, altering the content while maintaining the valid DKIM signature. This exploit allowed the phishing messages to appear authentic and bypass major email filtering systems.
To further enhance credibility, attackers hosted malicious login pages on Google Sites, Google's free website creation platform. Since the emails originated from a trusted infrastructure and the URLs pointed to a Google domain, most email systems failed to flag the content as suspicious.
This method made it possible to steal credentials from users across sectors, including finance, education, and tech industries, all while evading standard threat detection mechanisms.
Why This Phishing Campaign Is So Dangerous
Unlike traditional phishing emails that often carry suspicious links or grammatical errors, these messages were expertly crafted and indistinguishable from legitimate ones. The emails:
-
Used previously validated DKIM signatures
-
Came from real Google servers
-
Directed users to Google Sites URLs
-
Asked for logins under the guise of account verification or document access
Because DKIM validation only checks that a message was signed by an authorized server, the reuse of a legitimate DKIM signature on a manipulated message was not detected by email filters, making it an extremely effective bypass technique.
Who Is at Risk?
Organizations relying solely on DKIM, SPF, and DMARC without robust behavioral analytics and phishing simulations are particularly vulnerable. Individuals who receive frequent emails with document links or shared folders are also prime targets.
Phishing emails using DKIM replay and Google Sites have been identified in:
-
Educational institutions using Google Workspace
-
Corporate email environments with weak phishing awareness training
-
NGOs and nonprofits using Google tools without two-factor authentication
Industry Response and Recommended Security Measures
Google has acknowledged the abuse of its infrastructure and stated it is actively working to improve monitoring and restrict such misuse of Google Sites. Meanwhile, cybersecurity experts are urging all organizations to:
-
Implement multi-factor authentication (MFA) on all accounts
-
Use anomaly detection tools that flag unexpected behaviors, even when DKIM passes
-
Block access to Google Sites from corporate networks, if not used officially
-
Conduct phishing awareness training for employees and users
-
Upgrade to advanced email protection services with real-time URL scanning
Additionally, industry voices are calling for updates to email authentication standards, such as DKIM and DMARC, to prevent replay attacks and reduce reliance on trust-based validations alone.
Conclusion
This latest cyberattack using DKIM replay and Google Sites to send signed phishing emails is a clear example of how threat actors continue to evolve their tactics to exploit weaknesses in trust-based security systems. The incident serves as a wake-up call for both organizations and individuals to stay vigilant, invest in layered security solutions, and ensure proper user education to recognize phishing threats, no matter how authentic they appear.