| ▲ | oliwarner 5 days ago |
| We're a bit light on detail here but it's worrying that it's 2025 and Google isn't flagging "looks like" @google.com messages. I'm assuming this is a dirty unicode hack and not something worse: no DKIM or an actually compromised sender. The whole thing stinks. |
|
| ▲ | rs186 4 days ago | parent | next [-] |
| I never considered Unicode domain names a good idea. Looking at it today, it appears that the only people who use Unicode in domains are scammers and criminals. Thanks ICANN! |
|
| ▲ | carodgers 4 days ago | parent | prev [-] |
| I can't believe he omitted that detail. How did they appear to send an email from a google domain? This is especially puzzling given that he says he works in security. |
| |
| ▲ | iLoveOncall 4 days ago | parent [-] | | Looks like the attacker set "legal@google.com" as expeditor name, so that's what showed on the author's phone, that's it. | | |
| ▲ | oliwarner 4 days ago | parent | next [-] | | Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this. The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed. | |
| ▲ | karakot 4 days ago | parent | prev | next [-] | | I just put it into subject and that's how it looks like in my inbox https://imgur.com/a/Ki2cciH minimal efforts, won't pass any scrutinity but someone panicking might miss it. Thanks OP for the thread, very enlightening. | | |
| ▲ | oliwarner 4 days ago | parent [-] | | The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject. I wonder how many people would fall for that though. |
| |
| ▲ | cpncrunch 4 days ago | parent | prev [-] | | What exactly is "expeditor name"? |
|
|
