Analyzing a Sophisticated Phishing Campaign: When Google's Legitimate Mail System Gets Exploited (Sample One)

Beginning

When checking my email recently, I noticed something unusual in my Gmail inbox. Having participated in various CTF competitions and security research projects, I immediately recognized the telltale signs of a phishing attempt - but with an intriguing twist that warranted deeper investigation.

The Initial Red Flags

What initially caught my attention was that the email appeared to come from "googlemail.com" - a legitimate Google domain that typically handles bounce messages and delivery status notifications. However, I hadn't sent any emails that would warrant such a notification, making its appearance highly suspicious.

The email presented itself as a standard "Delivery Status Notification (Failure)" message, something we've all seen when an email fails to deliver. But in this case, I never initiated any communication that would trigger such a response.

Digging Deeper: Header Analysis

Upon examining the email headers, I discovered several concerning anomalies:

The email claimed to be a reply to a message I supposedly sent from my Gmail account to a non-existent gmail address ([email protected])
The original "From" field showed a suspicious sender: "ntagpl <contact@beppegrillo[.]it>"
The email passed DKIM and DMARC verification (which explains why it landed in my inbox rather than spam)
SPF showed "none" rather than "fail" - another factor that helped it bypass Gmail's filters

The Deception Mechanism

This attack demonstrates a sophisticated understanding of email authentication systems. The attackers appear to have:

Sent an email to a non-existent Google address ([email protected]) while spoofing my email as the sender
Leveraged Google's legitimate mail delivery notification system to generate a bounce message
Used this legitimate Google-generated message (which naturally passes authentication checks) as a vehicle to deliver their malicious content

Why This Attack Is Concerning

What makes this phishing attempt particularly dangerous is that it piggybacks on Google's legitimate mail infrastructure. The message comes from an actual Google domain with valid DKIM signatures, making traditional anti-phishing advice like "check the sender domain" less effective.