Recently received an email from '[email protected]'?
Gmail Users Warned About Dangerous 'No-Reply' Phishing Scam That Looks Totally Legit
By
Khadija Pervez in
News
On 22nd May 2025
advertisement
A cybersecurity expert has dissected a dangerously clever phishing scam that’s hitting Gmail users, and it’s coming from what appears to be a completely legit source.
Nick Johnson, who founded Ethereum Name Service, took to Twitter recently to share details about what he called an “extremely sophisticated phishing attack.” He explained that the scam takes advantage of a vulnerability buried within Google’s infrastructure.
And it looks like the scam is still active. Just last week, cybersecurity company Kaspersky released an article about the issue.
On April 16, Johnson posted screenshots of the shady email he received. He broke down the screenshots, pointing out the different elements that make the phishing attempt so convincing.
Have you received an email from [email protected]?
Illustration by Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images
advertisement
What does the 'no-reply' phishing email look like?
Johnson starts by pointing out that the message looks totally valid and signed.
"It really was sent from [email protected]." he said. "It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts."
He also noted that the 'Sites' link in the email takes users to a fake support portal that’s actually pretty convincing, with a domain that looks totally trustworthy at first glance.
If you go on to click options like “Upload additional documents” or “View case,” Johnson explained you’re taken to a fake sign-in page that’s almost identical to the real Google login screen.
"The only hint it's a phish is that it's hosted on http://sites.google.com instead of http://accounts.google.com." he added.
His theory is that the goal is to trick users into entering their login details so scammers can steal them and take control of their accounts.
Of course, Johnson didn’t go through with entering his own info, but he explained how dangerous the trap really is.
So, what makes this phishing email look so real?
The phishing email is seriously advanced
Twitter/ @nicksdjohnson
How does the phishing 'no-reply' email look so 'convincing'?
Basically, scammers start by registering a domain, then they create a Google account like “me@domain.” They follow that up by making a Google OAuth app and inserting the phishing message, padding it with white space and lines like “Google Legal Support.”
"Now they grant their OAuth app access to their 'me@...' Google account. This generates a 'Security Alert' message from Google, sent to their 'me@...' email address. Since Google generated the email, it's signed with a valid DKIM key and passes all the checks." Johnson explained.
Next, they forward the message to their targets. And because DKIM validation only covers the message and its headers, not the full envelope—the email passes checks and appears legit in the user’s inbox. It even shows up in the same conversation thread as actual security emails from Google.
advertisement
"Because they named their Google account 'me@', GMail shows the message was sent to 'me' at the top, which is the shorthand it uses when a message is addressed to your email address - avoiding another indication that might send up red flags." Johnson added.
He believes this all works because of two key weaknesses in Google’s backend systems.
The email was 'really sent from [email protected]'
Twitter/ @nicksdjohnson
The 'two vulnerabilities in Google infrastructure'
Johnson explained that the fake portal trick is actually pretty easy to pull off, since users are allowed to host their own content on subdomains under http://google.com.
He also pointed out there’s no way to report abuse from within the Google Sites interface itself. That makes it even easier for scammers to upload fresh versions of fake scripts and sketchy embeds.
His advice? Google should shut down script and arbitrary embed support in Sites, since it creates a major opening for phishing scams like this one.
However, while the fake site is a concern, Johnson emphasized that the email side of the attack is actually the most advanced part.
So how did he manage to catch the scam before falling for it?
The white space is reportedly a clue something's phishy
Twitter/ @nicksdjohnson
advertisement
How to spot a phishing email
Johnson said the first red flag was in the email’s header.
"Although it was signed by http://accounts.google.com, it was emailed by http://privateemail.com, and sent to 'me@blah.'" he explained.
As for the second hint? "Below the phishing message is a lot of whitespace (mostly not shown) followed by 'Google Legal Support was granted access to your Google Account' and the odd me@... email address again." Johnson pointed out.
Johnson reported the issue to Google and later shared that the company got back to him saying they plan to fix the OAuth bug that helped make this possible.
What Google has said about the 'no-reply' email
A Google spokesperson said: "We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns."