We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Hackers Exploit Google OAuth for DKIM-Verified Phishing Emails

Hackers Exploit Google OAuth for DKIM-Verified Phishing Emails
Author Image Anka Markovic Borak
Anka Markovic Borak First published on April 23, 2025 Writer and Quality Assessor

Recently, cybercriminals exploited a vulnerability in Google’s OAuth system to send phishing emails that appeared legitimate by passing DKIM (DomainKeys Identified Mail) verification. The incident came to light when a fraudulent Google security alert was reported. The attack leveraged Google’s infrastructure, directing victims to a convincing fake support portal hosted on a Google-owned domain to steal credentials.

Hackers orchestrated the phishing campaign by exploiting a flaw that allowed malicious emails to bypass DKIM checks and appear authentic. The attack gained attention after Ethereum Name Service (ENS) engineer Nick Johnson received a fake subpoena alert, revealing a major weakness in current email authentication standards.

The attackers sent emails that mimicked legitimate messages from no-reply@google.com, successfully passing DKIM verification despite originating from a different sender. This technique, known as a DKIM replay attack, abuses legitimate email headers and Google’s trusted infrastructure to bypass traditional spam filters.

The phishing emails redirected users to a fake support portal hosted on Google’s sites.google.com, which visually replicated Google’s login page. Despite some signs of illegitimacy in the URL, the use of a Google-owned domain made the attack appear more trustworthy.

According to the developer who uncovered the attack, the hackers first registered a custom domain and created a Google account with an address like me@domain. They then built an OAuth app named after the phishing message itself. By granting the app access to their own email, they triggered Google to send a DKIM-signed security alert — delivered straight to their inbox.

This DKIM-authenticated email was then forwarded to potential victims. Since DKIM only validates the message body and headers (not the envelope sender), security systems treated the spoofed message as legitimate. Gmail even displayed it as if it were sent directly to the victim’s own address, masking typical warning signs.

Email security firm EasyDMARC later analyzed and confirmed the use of the DKIM replay technique. Similar tactics have been observed before, such as in a March phishing campaign that targeted PayPal users. In that case, attackers exploited PayPal’s “gift address” system to distribute DKIM-verified phishing emails.

Although PayPal declined to comment, Google initially stood by the functionality as intended. However, after reviewing the incident, the company acknowledged the risk and is now working on a fix to prevent future abuse of its OAuth and DKIM systems.

About the Author

Anka Markovic-Borak is a writer and quality assessor at vpnMentor, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching vpnMentor's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address