{"id":45878,"date":"2025-04-11T11:57:32","date_gmt":"2025-04-11T11:57:32","guid":{"rendered":"https:\/\/easydmarc.com\/blog\/?p=45878"},"modified":"2025-08-29T14:06:51","modified_gmt":"2025-08-29T14:06:51","slug":"google-spoofed-via-dkim-replay-attack-a-technical-breakdown","status":"publish","type":"post","link":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/","title":{"rendered":"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown"},"content":{"rendered":"\n<p>This morning started with a call from a friend &#8211; clearly shaken. He had just received an alarming email that looked strikingly legitimate. Unsure whether it was safe or a scam, he reached out to me for help verifying its authenticity.<\/p>\n\n\n\n<p>What followed was a deep dive into the message to determine whether it was a genuine communication or a cleverly crafted phishing attempt. The email was convincing enough to create real concern, and that\u2019s what makes this story worth sharing.<\/p>\n\n\n\n<p>This was the email:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"767\" height=\"1024\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744359709180-767x1024.png\" alt=\"\" class=\"wp-image-45893\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744359709180-767x1024.png 767w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744359709180-225x300.png 225w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744359709180-768x1025.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744359709180.png 1124w\" sizes=\"(max-width: 767px) 100vw, 767px\" \/><\/figure>\n\n\n\n<p>The email claimed that a subpoena had been issued by law enforcement requesting the extraction (access\/download) of the contents of his Google Account.<br \/><br \/>What made the situation even more alarming was that the<strong> email appeared to come from a legitimate Google no-reply address<\/strong>. On the surface, everything looked clean \u2013 no typos, no odd links, and the sender domain seemed genuine. But something felt off, and that gut feeling is often your first line of defense.<\/p>\n\n\n\t\t<div data-elementor-type=\"section\" data-elementor-id=\"50906\" class=\"elementor elementor-50906\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-721164f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"29218\" data-id=\"721164f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;gradient&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0c708e4\" data-eae-slider=\"46499\" data-id=\"0c708e4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-inner-section elementor-element elementor-element-4bf31b5 domain_scanner_top elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"24988\" data-id=\"4bf31b5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-0fcd67c\" data-eae-slider=\"53509\" data-id=\"0fcd67c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5f17691 elementor-widget elementor-widget-heading\" data-id=\"5f17691\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Get Your Full Domain Health Report\nSee detailed<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-13b7ef6 elementor-widget elementor-widget-heading\" data-id=\"13b7ef6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Enter your email to access the analysis<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-20f1233 elementor-widget__width-initial domain_scanner elementor-button-align-stretch elementor-widget elementor-widget-form\" data-id=\"20f1233\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;button_width&quot;:&quot;30&quot;,&quot;step_next_label&quot;:&quot;Next&quot;,&quot;step_previous_label&quot;:&quot;Previous&quot;,&quot;step_type&quot;:&quot;number_text&quot;,&quot;step_icon_shape&quot;:&quot;circle&quot;}\" data-widget_type=\"form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<form class=\"elementor-form\" method=\"post\" name=\"Domain-scanner\" aria-label=\"Domain-scanner\">\n\t\t\t<input type=\"hidden\" name=\"post_id\" value=\"50906\"\/>\n\t\t\t<input type=\"hidden\" name=\"form_id\" value=\"20f1233\"\/>\n\t\t\t<input type=\"hidden\" name=\"referer_title\" value=\"EasyDMARC\" \/>\n\n\t\t\t\n\t\t\t<div class=\"elementor-form-fields-wrapper elementor-labels-\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-field-type-recaptcha_v3 elementor-field-group elementor-column elementor-field-group-field_484163c elementor-col-100 recaptcha_v3-bottomright\">\n\t\t\t\t\t<div class=\"elementor-field\" id=\"form-field-field_484163c\"><div class=\"elementor-g-recaptcha\" data-sitekey=\"6LfoqSQoAAAAAERWxCfAJ0wo33fuVHJXWiuw81C3\" data-type=\"v3\" data-action=\"Form\" data-badge=\"bottomright\" data-size=\"invisible\"><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"elementor-field-type-hidden elementor-field-group elementor-column elementor-field-group-field_5596341 elementor-col-100\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input size=\"1\" type=\"hidden\" name=\"form_fields[field_5596341]\" id=\"form-field-field_5596341\" class=\"elementor-field elementor-size-sm  elementor-field-textual\" value=\"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown\"\/>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"elementor-field-type-email elementor-field-group elementor-column elementor-field-group-email elementor-col-70 elementor-field-required\">\n\t\t\t\t\t\t\t\t\t\t\t\t<label for=\"form-field-email\" class=\"elementor-field-label elementor-screen-only\">\n\t\t\t\t\t\t\t\tEmail\t\t\t\t\t\t\t<\/label>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<input size=\"1\" type=\"email\" name=\"form_fields[email]\" id=\"form-field-email\" class=\"elementor-field elementor-size-sm  elementor-field-textual\" placeholder=\"example@mycompany.com\" required=\"required\"\/>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"elementor-field-group elementor-column elementor-field-type-submit elementor-col-30 e-form__buttons\">\n\t\t\t\t\t<button class=\"elementor-button elementor-size-sm\" type=\"submit\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/button>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/form>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-inner-section elementor-element elementor-element-f21a786 thankscon elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"16272\" data-id=\"f21a786\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-26ae9b5\" data-eae-slider=\"50677\" data-id=\"26ae9b5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac64f8a elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"ac64f8a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"57\" height=\"57\" viewBox=\"0 0 57 57\" fill=\"none\"><circle cx=\"28.5\" cy=\"28.5\" r=\"26.25\" stroke=\"#0DC3A7\" stroke-width=\"4.5\"><\/circle><path d=\"M12.6665 26.1243L22.1665 37.9993L41.1665 18.9993\" stroke=\"#0DC3A7\" stroke-width=\"4.5\" stroke-linecap=\"round\"><\/path><\/svg>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9733c80 elementor-widget elementor-widget-heading\" data-id=\"9733c80\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Your report has been successfully sent<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e450125 elementor-widget elementor-widget-text-editor\" data-id=\"e450125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Thank you for your submission.<br \/><br \/>Your report has been successfully sent<br \/>to <strong><span id=\"custom-name\">name<\/span><\/strong> email.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-digging-deeper-investigating-the-suspicious-email\">Digging Deeper: Investigating the Suspicious Email<\/h2>\n\n\n\n<p>Curious and concerned, I examined the email headers and link previews in a <strong>sandbox<\/strong> environment, a secure setup isolated from production systems, specifically designed for this kind of research. On the surface, everything appeared to check out:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>sender address<\/strong> looked like an official Google no-reply domain<\/li>\n\n\n\n<li>The <strong>branding<\/strong> and <strong>language<\/strong> were polished and professional<\/li>\n\n\n\n<li>There were <strong>no obvious grammar issues<\/strong> or suspicious attachments.<\/li>\n<\/ul>\n\n\n\n<p>But as we know, phishing campaigns have gotten much more sophisticated. So, I dug into the <strong>email headers<\/strong>, checking the <strong>SPF, DKIM, and DMARC<\/strong> authentication results. That\u2019s when the red flags began to appear.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-important-reminder-don-t-engage-with-suspicious-emails\"><strong>Important Reminder: Don\u2019t Engage with Suspicious Emails<\/strong><\/h2>\n\n\n\n<p><strong>Never click on links or follow instructions in suspicious emails<\/strong>, no matter how legitimate they may seem. Even opening a link or downloading a file could trigger malicious scripts or redirect you to phishing sites designed to steal your credentials.<\/p>\n\n\n\n<p>If you\u2019re unsure, <strong>leave the investigation to professionals<\/strong> who can safely analyze the message in a <strong>sandboxed environment<\/strong>..<\/p>\n\n\n\n<p>Interacting with a malicious email outside of such an environment could result in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Loss of sensitive data<\/li>\n\n\n\n<li>Business Email Compromise (BEC)<\/li>\n\n\n\n<li>Account takeovers<\/li>\n\n\n\n<li>Wider network breaches<\/li>\n<\/ul>\n\n\n\n<p><strong>When in doubt, don\u2019t click \u2013 report and escalate.<\/strong><\/p>\n\n\n\n\n\n\n\n<p>Here is the URL from that email:<br \/><br \/><a href=\"https:\/\/sites.google.com\/u\/34961821\/d\/1XMIxkFiq54WpH2tKqay2EPnhN0Ukovet\/edit\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/sites.google.com\/u\/34961821\/d\/1XMIxkFiq54WpH2tKqay2EPnhN0Ukovet\/edit<\/a>&nbsp;<\/p>\n\n\n\n<p>This redirects to the Google account login page if you are not logged in :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"746\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001-1024x746.png\" alt=\"\" class=\"wp-image-45896\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001-1024x746.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001-300x218.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001-768x559.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001-1200x874.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360359001.png 1373w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After logging in, or if you are already logged in, it sends you to the <strong>Google Sites page<\/strong>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"680\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162-1024x680.png\" alt=\"\" class=\"wp-image-45899\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162-1024x680.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162-300x199.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162-768x510.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162-1200x797.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360418162.png 1488w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Here\u2019s something critically important to understand: <strong>This is <\/strong><strong><em>not<\/em><\/strong><strong> a real Google support page.<\/strong> It\u2019s not a Google sign-in page. It\u2019s not any official Google property in the traditional sense.<\/p>\n\n\n\n<p>Instead, it\u2019s a <strong>regular Google Sites page<\/strong>, <strong>a free tool anyone can use to build a website. <\/strong>In this case, cybercriminals used it to create a page that mimics an official Google support case, complete with convincing visuals and language.<\/p>\n\n\n\n<p>Because it\u2019s hosted on a trusted <mark style=\"color:#32ac1f\" class=\"has-inline-color\">google.com<\/mark><mark style=\"color:#547b4e\" class=\"has-inline-color\"> <\/mark>subdomain (like <mark style=\"color:#23b347\" class=\"has-inline-color\">sites.google.com<\/mark>), many users let their guard down. But don\u2019t be fooled \u2013 <strong>just because the domain looks legitimate doesn&#8217;t mean the content is.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-background-color has-text-color has-background has-link-color wp-element-button\" href=\"https:\/\/easydmarc.com\/contact-us\" style=\"background-color:#3768ca\">Start Email Security Check<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-google-sites-is-used-for\">What Google Sites Is Used For<\/h2>\n\n\n\n<p>Google Sites serves as a practical tool for various purposes, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Internal team pages (like company intranets or project dashboards)<\/li>\n\n\n\n<li>Documentation hubs<\/li>\n\n\n\n<li>Event landing pages<\/li>\n\n\n\n<li>Personal portfolios or school projects<\/li>\n\n\n\n<li>Simple public websites<br \/><\/li>\n<\/ul>\n\n\n\n<p>You can create a site by dragging and dropping content blocks (text, images, videos, Google Docs, etc.), and it&#8217;s tightly integrated with other Google Workspace tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-when-trusted-infrastructure-becomes-a-threat-google-sites-abuse\">When Trusted Infrastructure Becomes a Threat: Google Sites Abuse<\/h3>\n\n\n\n<p><strong>Google Sites<\/strong>, originally launched in <strong>2008<\/strong>, is part of Google Workspace and allows any authenticated user to create a custom website hosted under the <mark style=\"color:#289e26\" class=\"has-inline-color\">sites.google.com<\/mark> domain. It\u2019s widely used for internal and public-facing content due to its ease of use, zero cost, and native integration with Google products.<\/p>\n\n\n\n<p>However, that same convenience is now being weaponized by attackers.<\/p>\n\n\n\n<p>Why it\u2019s dangerous:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anyone with a Google account can create a site that looks legitimate and is hosted under a <strong>trusted Google-owned domain<\/strong>.<br \/><\/li>\n\n\n\n<li>There\u2019s <strong>no need for custom hosting<\/strong> or domain registration, and attackers benefit from <strong>Google\u2019s SSL certificates and brand reputation<\/strong>.<br \/><\/li>\n\n\n\n<li>Attackers can <strong>embed deceptive content<\/strong> (fake login screens, credential harvesting forms, misleading CTAs) under a domain that would normally pass casual user trust and even automated link validation checks.<\/li>\n<\/ul>\n\n\n\n<p>Now let\u2019s take a closer look at the key elements that make this scam so deceptive.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-the-attacker-performed-a-dkim-replay-to-spoof-google\">How the Attacker Performed a DKIM Replay to Spoof Google<\/h2>\n\n\n\n<p>This attack was a confirmed <strong>DKIM Replay Attack<\/strong> where a spoofed message appeared to be from <mark style=\"color:#2f9944\" class=\"has-inline-color\">no-reply@accounts.google.com<\/mark>, had passed <strong>DKIM and DMARC<\/strong>, and was delivered to a <strong>Gmail inbox<\/strong>.<\/p>\n\n\n\n<p>Below is a <strong>step-by-step explanation<\/strong> of exactly what the attacker did, from start to finish \u2014 including all infrastructure involved.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-1-attacker-receives-a-legitimate-email-from-google\"><strong>Step 1: Attacker receives a legitimate email from Google<\/strong><\/h3>\n\n\n\n<p>The attacker first received a <strong>real email from Google<\/strong>, originating from    <mark style=\"color:#26a134\" class=\"has-inline-color\">no-reply@accounts.google.com.<\/mark><\/p>\n\n\n\n<p>It included a valid DKIM signature:<\/p>\n\n\n\n<p><mark style=\"color:#25962e\" class=\"has-inline-color\">DKIM-Signature: d=accounts.google.com; s=20230601; bh=a+1bch\/&#8230;<\/mark><\/p>\n\n\n\n<p>The attacker then <strong>extracted and saved<\/strong> this exact email, including headers and body, without modifying anything signed by DKIM.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"336\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-1024x336.png\" alt=\"\" class=\"wp-image-45902\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-1024x336.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-300x98.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-768x252.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-1536x504.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-2048x672.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-1200x394.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360706896-1980x649.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"161\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-1024x161.png\" alt=\"\" class=\"wp-image-45905\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-1024x161.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-300x47.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-768x121.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-1536x242.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-2048x323.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-1200x189.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360730429-1980x312.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-2-attacker-prepares-to-replay-the-signed-message\"><strong>Step 2: Attacker prepares to replay the signed message<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/easydmarc.com\/blog\/glossary\/dkim\/\">DKIM (DomainKeys Identified Mail)<\/a> works by applying a digital signature to specific headers and the body of the email when it is first sent. This signature is generated using the sender\u2019s private key and is attached as a header in the email itself.<\/p>\n\n\n\n<p>When the message is forwarded, the original DKIM signature usually <strong>remains untouched<\/strong> as long as the email content and headers covered by the signature are not modified. Since forwarding services often preserve the original message <em>as-is<\/em> (especially in cases like aliasing or server-side forwarding), the DKIM signature remains valid and can still be verified using the sender&#8217;s public DNS record.<\/p>\n\n\n\n<p>&nbsp;<code><mark style=\"color:#369131\" class=\"has-inline-color\">dkim=pass<\/mark><\/code>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-3-attacker-sends-the-email-from-outlook\"><strong>Step 3: Attacker sends the email from Outlook<\/strong><\/h3>\n\n\n\n<p>The attacker used an Outlook account (<mark style=\"color:#40b130\" class=\"has-inline-color\">x186997@outlook.com<\/mark>) to send the spoofed message.<\/p>\n\n\n\n<p>Outbound hop:<\/p>\n\n\n\n<p><em>Server:<\/em> <mark style=\"color:#29b843\" class=\"has-inline-color\">LO3P265CU004.outbound.protection.outlook.com<\/mark><br \/><em>IP:<\/em> <mark style=\"color:#29b239\" class=\"has-inline-color\">40.93.67.3<\/mark><\/p>\n\n\n\n<p><strong>In another example<\/strong>, the origin of the email is <strong>Google&#8217;s notification service<\/strong>. The email flow is described in the attack reproduction section at the end of this article.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-4-message-is-relayed-through-jellyfish-smtp\"><strong>Step 4: Message is relayed through Jellyfish SMTP<\/strong><\/h3>\n\n\n\n<p>Microsoft then hands the message over to a custom SMTP service:<\/p>\n\n\n\n<p><em>Relay:<\/em> <mark style=\"color:#26b84b\" class=\"has-inline-color\">asp-relay-pe.jellyfish.systems<\/mark><br \/><em>IP:<\/em> <mark style=\"color:#26bc2d\" class=\"has-inline-color\">162.255.118.7<\/mark><\/p>\n\n\n\n<p>This system acts as a <strong>middle relay<\/strong>, distancing the spoof even further from Google. It\u2019s not affiliated with Namecheap or PrivateEmail.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-5-message-forwarded-via-namecheap-s-privateemail\"><strong>Step 5: Message forwarded via Namecheap\u2019s PrivateEmail<\/strong><\/h3>\n\n\n\n<p>The message is then received by Namecheap\u2019s mail infrastructure (PrivateEmail), which provides mail forwarding:<\/p>\n\n\n\n<p>Systems involved:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"color:#28b225\" class=\"has-inline-color\">mta-02.privateemail.com<\/mark><\/li>\n\n\n\n<li><mark style=\"color:#30b82d\" class=\"has-inline-color\">DIR-08<\/mark><\/li>\n\n\n\n<li><mark style=\"color:#3ab329\" class=\"has-inline-color\">fwd-04.fwd.privateemail.com<\/mark><\/li>\n\n\n\n<li><mark style=\"color:#37bd23\" class=\"has-inline-color\">fwd-04-1.fwd.privateemail.com<\/mark><br \/><\/li>\n<\/ul>\n\n\n\n<p>During this phase:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A new DKIM signature is added: <mark style=\"color:#24c336\" class=\"has-inline-color\">DKIM-Signature: d=fwd.privateemail.com; l=52331;<\/mark><\/li>\n\n\n\n<li>The body beyond 52KB is <strong>not signed<\/strong>, but this DKIM is <strong>not aligned<\/strong>, so it&#8217;s <strong>not used for DMARC<\/strong>.<\/li>\n\n\n\n<li>SPF passes due to rewritten Return-Path, but is <strong>also not aligned<\/strong>.<br \/><\/li>\n<\/ul>\n\n\n\n<p>However, since the original Google DKIM is untouched and aligned, <strong>DMARC still passes<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-6-final-delivery-to-gmail\"><strong>Step 6: Final delivery to Gmail<\/strong><\/h3>\n\n\n\n<p>Final delivery is handled by:<\/p>\n\n\n\n<p><em>Sender:<\/em> <mark style=\"color:#28b52e\" class=\"has-inline-color\">fwd-04-1.fwd.privateemail.com (66.29.159.58)<\/mark><br \/><em>Recipient <\/em><mark style=\"color:#2db02a\" class=\"has-inline-color\"><em>MX:<\/em> mx.google.com<\/mark><\/p>\n\n\n\n<p>At this point, the email reaches the victim\u2019s inbox <strong>looking like a valid message from Google<\/strong>, and all authentication checks show as passing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"color:#37b625\" class=\"has-inline-color\">SPF=pass<\/mark> (via forwarder)<\/li>\n\n\n\n<li><mark style=\"color:#26aa27\" class=\"has-inline-color\">DKIM=pass<\/mark> (from Google)<\/li>\n\n\n\n<li><mark style=\"color:#2bb12c\" class=\"has-inline-color\">DMARC=pass<\/mark> (based on aligned DKIM)<\/li>\n<\/ul>\n\n\n\n<p>Final SMTP Hop Breakdown:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"195\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-1024x195.png\" alt=\"\" class=\"wp-image-45908\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-1024x195.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-300x57.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-768x146.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-1536x292.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-2048x389.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-1200x228.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/1744360849043-1980x376.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-when-a-fake-subpoena-becomes-an-attack-vector\">When a Fake Subpoena Becomes an Attack Vector<\/h2>\n\n\n\n<p>Fake subpoena emails are especially dangerous because they trigger fear, urgency, and confusion. Most people don\u2019t know precisely how subpoenas work, so when an email looks official and mentions legal action, it\u2019s easy to panic and click without thinking.<\/p>\n\n\n\n<p>To clarify, a subpoena is typically issued by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A court<\/li>\n\n\n\n<li>A lawyer (in civil cases)<\/li>\n\n\n\n<li>A government agency (in administrative cases)<\/li>\n<\/ul>\n\n\n\n<p>A subpoena can require someone to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Appear in court<\/li>\n\n\n\n<li>Provide documents or evidence<\/li>\n\n\n\n<li>Testify at a deposition or trial<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-serving-a-subpoena\">Serving a Subpoena<\/h3>\n\n\n\n<p>The subpoena must be <strong>formally served<\/strong> to the person or entity. Common methods include:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-personal-service-most-common-and-preferred\">Personal Service (most common and preferred)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A process server or law enforcement officer physically hands the subpoena to the individual.<\/li>\n\n\n\n<li>Required in most cases to ensure proper delivery and acknowledgment.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-mail-or-email-only-in-some-cases\">Mail or Email (only in some cases)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some jurisdictions or situations (especially civil subpoenas) allow service by certified mail or email, <strong>but only with prior consent or court approval<\/strong>. In such cases, the subpoena should be delivered in an encrypted way using the company&#8217;s official email address. It\u2019s never delivered through third-party platforms.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-a-registered-agent-for-companies\">A Registered Agent (for companies)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the subpoena is for a business, it&#8217;s often served to their <strong>registered agent<\/strong> (a person or service officially designated to receive legal documents on the company\u2019s behalf).<\/li>\n<\/ul>\n\n\n\n<p>Knowing how real subpoenas are issued and delivered can help you spot red flags. Phishing threats are evolving, no longer marked by broken English and sketchy URLs. Today\u2019s attacks often come cloaked in legitimacy, sometimes even using platforms like <strong>Google Sites<\/strong> to mimic real support cases. As we saw in this real-world example, even the most tech-savvy users can be caught off guard.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-takeaway\">The Takeaway?<\/h2>\n\n\n\n<p>Always question unexpected emails, especially those urging urgent action or containing links to login pages. Just because something looks like it comes from Google (or any other trusted source) doesn\u2019t mean it\u2019s safe.<\/p>\n\n\n\n<p><strong>When in doubt,<\/strong> <strong>don\u2019t click, don\u2019t reply, and don\u2019t engage.<\/strong> Escalate to your security team or a professional who can handle the investigation in a secure, sandboxed environment.<\/p>\n\n\n\n<p>I&#8217;m interested in seeing more real-life examples. Do you have any notable cases to share?<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-background-color has-text-color has-background has-link-color wp-element-button\" href=\"https:\/\/uac.easydmarc.com\/realms\/easydmarc\/protocol\/openid-connect\/registrations?client_id=dmarc-app&amp;response_type=code&amp;scope=openid+email&amp;redirect_uri=https%3A%2F%2Fapp.easydmarc.com%2Flogin%2Fcallback&amp;ui_locales=US&amp;state=eyJ1c2VySXAiOiI5MS4xMDMuMjUwLjE1NiIsImdvVXJsIjoiIiwibG9naW5PcHRpb25zIjp7fX0%3D\" style=\"background-color:#3768ca\">Start DMARC Journey<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-we-have-an-update-reproducing-the-attack\">We Have an Update: Reproducing the Attack<\/h2>\n\n\n\n<p>We have dived deeper and successfully reproduced the attack:<\/p>\n\n\n\n<p>In the first step, the attacker registered a domain via <strong>Namecheap<\/strong>. We observed the attack originating from the following domains, which have now been taken down:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>googl-mail-smtp-out-198-142-125-38-prod.net<\/code><\/li>\n\n\n\n<li><code>wd-00000000000097d33d0631f6fe58-goog-ssl.com<\/code><\/li>\n<\/ul>\n\n\n\n<p>On the second step attacker registered a free PrivateEmail via Namecheap. <br \/><em>me@<code>googl-mail-smtp-out-198-142-125-38-prod.net<\/code><\/em><\/p>\n\n\n\n<p>On the third step they registered a Google Workspace account (free trial) and verified the domain via the DNS TXT record. You need to register it in the google to be able to move to the next steps. <\/p>\n\n\n\n<p>In the next step, they created a Google OAuth app and granted the access to that account. <\/p>\n\n\n\n<p>Here&#8217;s the twist: Google sends the alert or notification to the privately registered email address, where the domain is verified but uses different MX records than Google&#8217;s (specifically, Namecheap PrivateEmail).<\/p>\n\n\n\n<p>And most importantly, the key trick is that you can put anything you want in the App Name field in Google.: <br \/><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"982\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.05.38\u202fPM-1024x982.png\" alt=\"\" class=\"wp-image-46043\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.05.38\u202fPM-1024x982.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.05.38\u202fPM-300x288.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.05.38\u202fPM-768x737.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.05.38\u202fPM.png 1080w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The alert goes directly to the Namecheap account, which has some very interesting &#8220;capabilities.&#8221;.<\/p>\n\n\n\n<p>You can create conditions and put no-reply@google account as From address and the reply address can be anything: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"783\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-1024x783.png\" alt=\"\" class=\"wp-image-46050\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-1024x783.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-300x229.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-768x587.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-1536x1175.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-1200x918.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM-1980x1514.png 1980w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.33.08\u202fPM.png 2006w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>the forwarding rule will direct the email to the desired addresses: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"839\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-1024x839.png\" alt=\"\" class=\"wp-image-46053\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-1024x839.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-300x246.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-768x629.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-1536x1258.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM-1200x983.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.34.32\u202fPM.png 1646w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>It is clearly visible from Resent-From and Redirected-From headers:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"171\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design-1024x171.png\" alt=\"\" class=\"wp-image-46310\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design-1024x171.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design-300x50.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design-768x128.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design-1200x201.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Untitled-design.png 1412w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Here is the result: <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"814\" height=\"210\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.44.54\u202fPM.png\" alt=\"\" class=\"wp-image-46059\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.44.54\u202fPM.png 814w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.44.54\u202fPM-300x77.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-16-at-10.44.54\u202fPM-768x198.png 768w\" sizes=\"(max-width: 814px) 100vw, 814px\" \/><\/figure>\n\n\n\n<p>The other details have already described.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-frequently-asked-questions\">Frequently Asked Questions <\/h2>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What is a DKIM replay attack?<\/strong><br \/><\/summary>\n<p>A DKIM replay attack is when an attacker captures a legitimate email with a valid DKIM signature and re-sends (replays) it to new victims. Since the body and signed headers remain unmodified, the DKIM signature still validates, making the spoofed email appear authentic.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong><\/strong><strong>Can SPF or DMARC prevent DKIM replay attacks<\/strong>?<br \/><\/summary>\n<p>Not reliably.<br \/><br \/>1. <strong>SPF<\/strong> validates the <em>MAIL FROM<\/em> domain and sending IP, which often won&#8217;t align during a replay.<br \/><br \/>2. <strong>DMARC<\/strong> relies on alignment between SPF or DKIM and the <em>Header From<\/em>. If DKIM is aligned (as in this case, google.com), and still valid, DMARC can pass, even though the message is replayed from an attacker\u2019s server.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Why are DKIM replay attacks hard to detect?<\/strong><\/summary>\n<p>DKIM replay attacks are hard to detect because the message appears unmodified, with a valid DKIM signature and even a DMARC pass.<\/p>\n\n\n\n<p>If you rely on the email body or DKIM signature verification you may not see anything suspicious. The attack relies on trust in previously signed content, not on breaking cryptography.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>How did the attacker bypass detection using Google OAuth?<\/strong><\/summary>\n<p>The attacker created a&nbsp;<strong>malicious Google OAuth app<\/strong>, naming it something like \u201cGoogle Support.\u201d<\/p>\n\n\n\n<p>They inserted phishing content and links into the&nbsp;<strong>App Information<\/strong>&nbsp;which includes manually cloned Google support page hosted on&nbsp;<mark>sites.google.com<\/mark>.<\/p>\n\n\n\n<p>Google generated a valid security alert from&nbsp;<mark>no-reply@accounts.google.com<\/mark>&nbsp;when access was granted, which the attacker then&nbsp;<strong>forwarded to the victim<\/strong>.<\/p>\n\n\n\n<p>The forwarded email looked like it came from Google and passed DKIM\/DMARC, giving it credibility.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What are the most effective ways to be cautious and reduce the risk of DKIM replay attacks?<\/strong><br \/><\/summary>\n<p><strong>Rotate DKIM Keys Frequently<\/strong><br \/><strong><br \/><\/strong>Changing your DKIM keys regularly reduces the time window attackers have to abuse a captured signed message. Set your rotation cycle to 30 days or less for high-risk domains.<\/p>\n\n\n\n<p><strong>Raise User Awareness<\/strong><br \/><strong><br \/><\/strong>Users play a critical role in detecting suspicious activity:<\/p>\n\n\n\n<p>1. Encourage caution when clicking on links, even if the sender looks familiar.<br \/>2. Remind users to check URLs carefully before entering any credentials.<br \/>3. Share examples of phishing tactics like urgent language, fake legal notices, or account alerts.<br \/>4. Promote a culture of reporting. If something feels off, it\u2019s always worth flagging.<\/p>\n<\/details>\n","protected":false},"excerpt":{"rendered":"<p>This morning started with a call from a &#8230;<\/p>\n","protected":false},"author":39,"featured_media":46316,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[204,203],"tags":[],"class_list":["post-45878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-email-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Google Spoofed Via DKIM Replay Attack | EasyDMARC<\/title>\n<meta name=\"description\" content=\"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown\" \/>\n<meta property=\"og:description\" content=\"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/\" \/>\n<meta property=\"og:site_name\" content=\"EasyDMARC\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/EasyDMARC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-11T11:57:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-29T14:06:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"910\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Gerasim Hovhannisyan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@easydmarc\" \/>\n<meta name=\"twitter:site\" content=\"@easydmarc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gerasim Hovhannisyan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/\"},\"author\":{\"name\":\"Gerasim Hovhannisyan\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/person\\\/10c001ad8a8cd372f8a7328ab6c57adb\"},\"headline\":\"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown\",\"datePublished\":\"2025-04-11T11:57:32+00:00\",\"dateModified\":\"2025-08-29T14:06:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/\"},\"wordCount\":2254,\"publisher\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/DKIM-Replay-Phishing-Attack-1-1.jpg\",\"articleSection\":[\"Blog\",\"Email Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/\",\"name\":\"Google Spoofed Via DKIM Replay Attack | EasyDMARC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/DKIM-Replay-Phishing-Attack-1-1.jpg\",\"datePublished\":\"2025-04-11T11:57:32+00:00\",\"dateModified\":\"2025-08-29T14:06:51+00:00\",\"description\":\"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#primaryimage\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/DKIM-Replay-Phishing-Attack-1-1.jpg\",\"contentUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/DKIM-Replay-Phishing-Attack-1-1.jpg\",\"width\":1440,\"height\":910,\"caption\":\"image showing a fake Google subpoena phishing email\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/easydmarc.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/category\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Email Security\",\"item\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/category\\\/blog\\\/email-security\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/\",\"name\":\"EasyDMARC\",\"description\":\"Blog\",\"publisher\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/#organization\",\"name\":\"EasyDMARC\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/img\\\/logo.png\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/EasyDMARC\\\/\",\"https:\\\/\\\/x.com\\\/easydmarc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/easydmarc\\\/mycompany\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/person\\\/10c001ad8a8cd372f8a7328ab6c57adb\",\"name\":\"Gerasim Hovhannisyan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g\",\"caption\":\"Gerasim Hovhannisyan\"},\"sameAs\":[\"https:\\\/\\\/easydmarc.com\\\/\"],\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/author\\\/gerasim\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Google Spoofed Via DKIM Replay Attack | EasyDMARC","description":"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/","og_locale":"en_US","og_type":"article","og_title":"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown","og_description":"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.","og_url":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/","og_site_name":"EasyDMARC","article_publisher":"https:\/\/www.facebook.com\/EasyDMARC\/","article_published_time":"2025-04-11T11:57:32+00:00","article_modified_time":"2025-08-29T14:06:51+00:00","og_image":[{"width":1440,"height":910,"url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","type":"image\/jpeg"}],"author":"Gerasim Hovhannisyan","twitter_card":"summary_large_image","twitter_creator":"@easydmarc","twitter_site":"@easydmarc","twitter_misc":{"Written by":"Gerasim Hovhannisyan","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#article","isPartOf":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/"},"author":{"name":"Gerasim Hovhannisyan","@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/person\/10c001ad8a8cd372f8a7328ab6c57adb"},"headline":"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown","datePublished":"2025-04-11T11:57:32+00:00","dateModified":"2025-08-29T14:06:51+00:00","mainEntityOfPage":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/"},"wordCount":2254,"publisher":{"@id":"https:\/\/easydmarc.com\/blog\/#organization"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#primaryimage"},"thumbnailUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","articleSection":["Blog","Email Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/","url":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/","name":"Google Spoofed Via DKIM Replay Attack | EasyDMARC","isPartOf":{"@id":"https:\/\/easydmarc.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#primaryimage"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#primaryimage"},"thumbnailUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","datePublished":"2025-04-11T11:57:32+00:00","dateModified":"2025-08-29T14:06:51+00:00","description":"Learn how a Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena in this real-world phishing case.","breadcrumb":{"@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#primaryimage","url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","contentUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","width":1440,"height":910,"caption":"image showing a fake Google subpoena phishing email"},{"@type":"BreadcrumbList","@id":"https:\/\/easydmarc.com\/blog\/google-spoofed-via-dkim-replay-attack-a-technical-breakdown\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/easydmarc.com\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/easydmarc.com\/blog\/category\/blog\/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https:\/\/easydmarc.com\/blog\/category\/blog\/email-security\/"},{"@type":"ListItem","position":4,"name":"Google Spoofed Via DKIM Replay Attack: A Technical Breakdown"}]},{"@type":"WebSite","@id":"https:\/\/easydmarc.com\/blog\/#website","url":"https:\/\/easydmarc.com\/blog\/","name":"EasyDMARC","description":"Blog","publisher":{"@id":"https:\/\/easydmarc.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/easydmarc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/easydmarc.com\/#organization","name":"EasyDMARC","url":"https:\/\/easydmarc.com\/","logo":{"@type":"ImageObject","url":"https:\/\/easydmarc.com\/img\/logo.png"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/EasyDMARC\/","https:\/\/x.com\/easydmarc","https:\/\/www.linkedin.com\/company\/easydmarc\/mycompany\/"]},{"@type":"Person","@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/person\/10c001ad8a8cd372f8a7328ab6c57adb","name":"Gerasim Hovhannisyan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/416206c6414da3241ca18f34192085fd8fd01498df7dc654672a398234e13afe?s=96&r=g","caption":"Gerasim Hovhannisyan"},"sameAs":["https:\/\/easydmarc.com\/"],"url":"https:\/\/easydmarc.com\/blog\/author\/gerasim\/"}]}},"jetpack_featured_media_url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/04\/DKIM-Replay-Phishing-Attack-1-1.jpg","_links":{"self":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/45878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/comments?post=45878"}],"version-history":[{"count":35,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/45878\/revisions"}],"predecessor-version":[{"id":51751,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/45878\/revisions\/51751"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/media\/46316"}],"wp:attachment":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/media?parent=45878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/categories?post=45878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/tags?post=45878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}