A new phishing campaign is using Google’s old Sites tool to trick users into thinking they’re getting emails from Google. These emails look legit, pass through spam filters, and even land in users’ inboxes right next to real alerts.
Here’s how it works. Attackers create a fake website using Google Sites, a platform that lets anyone build web pages under the trusted sites.google.com domain. Because the site is hosted on Google’s domain, it comes with all the trust that Google’s brand and security bring — including valid SSL certificates.
That trust is exactly what makes these attacks so dangerous. Scammers forward real Google emails they’ve received — without changing the content. The trick? The DKIM signature, which confirms that an email hasn’t been tampered with, still checks out. So the spoofed email sails past spam filters.
Even more clever, the attackers use an address like me@[malicious domain], then forward a legitimate message using that account. Since Gmail treats the email as a reply to something the user actually received, it drops right into the same thread — making it look totally normal.
Ethereum developer Nick Johnson spotted one of these attacks firsthand. He noticed that the attacker had named the Google OAuth app with the full text of the phishing message. Gmail showed the message as coming from “me,” which is how it normally shows mail sent to your own address. That small touch added even more believability.
EasyDMARC CEO Gerasim Hovhannisyan also flagged the problem. He explained that because Google Sites is a trusted domain, even fake content hosted there looks real to both users and email systems. That makes it easier for hackers to fool people.
At first, Google dismissed the issue. They said the system was working as intended. But after researchers raised alarms, Google agreed to fix the OAuth loophole used in these phishing attacks.
This incident is a reminder that even big platforms like Google can be turned into attack tools. Users should stay alert — even when emails look like they’re coming from trusted sources.
