This is the warning that really matters.
Update: Republished on April 25 with new threat to Microsoft accounts and further advice on new attack techniques and how users ensure accounts are secure.
Google has confirmed a new Gmail update but with a warning for 3 billion users. Take heed. Because this is how you keep your email account. If you fail to follow this advice, you could find yourself losing access to your account and all your content. If you do lose your Gmail account, you will have a limited window to get it back. There are no guarantees, though, and the damage that can be done in the interim is huge.
Google is rightly frustrated. The latest attack on a Gmail user, which has somehow become a major threat despite it happening to a small number of users, is distracting attention from its much more important warning. The danger is that the advice is drowned out by the noise as countless articles delve into how a fake email was sent in such a way that it appeared to come from Google itself.
The optics of millions of users checking their autosent Google emails is painful. So first the basics. No, you are not about to receive a flood of fake emails from no-reply@google.com or any other authenticated Google email address. Such attacks are targeted and very rare. That’s why they generate so many headlines in the first place.
You will receive a flood of malicious phishing emails though, despite Google’s assurance that its defenses now filter out 99% of these. And you do need to change your account settings to ensure you add a passkey and that you don’t rely on SMS two-factor authentication. This is being phased out, but you should move faster and change today.
More importantly, these sophisticated attacks on Gmail users that pretend to be from Google all rely on two false premises: that Google’s support staff may reach out to you by email, phone or message; and if you ever do receive an email or message relating to an account issue, that Google may “ask for any of your account credentials — including your password, one-time passwords [or] confirm push notifications.” The same is true of the company sending links to pages where you enter your credentials — it will not.
Last time there was this furor over a similar attack, Google asked me to “reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.” And it has reissued that warning in the wake of this latest attack. But the danger is this simple advice is drowned out by the technicalities of 0Auth and DKIM (DomainKeys Identified Mail) checks to authenticate senders, including Google itself.
None of this takes anything away from the awkward optics of this latest attack or Google’s exposed vulnerabilities — albeit these have been patched just as others were patched in January, when a similarly sophisticated hack made headlines. At that time, Google said it was “hardening our defenses” to stop a repeat, just as now it’s telling users “we have rolled out protections to shut down this avenue for abuse.”
Clearly as one door shuts, attackers will find another. And so it’s even more critical that all Gmail users go back to basics. Set up a passkey and a stronger form of 2FA than SMS, given you still need a password as backup access for your account. And remember, any proactive support contact from Google (or Microsoft or Apple or Samsung or any other big tech company) is a scam. If you have any doubt, hang up the call or ignore the emails and reach out to the company using normal, publicly available channels.
And that advice isn’t specific to your Google and Gmail accounts. A new report from Volexity has just warned that “recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.”
The security firm says it has been tracking the attacks since month, and attributes them to “multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights.” The hackers lure victims by impersonating officials from various European nations," rather than big tech support desks.
In this instance, an attacker “contacts the victim via a messaging application (Signal, WhatsApp) and invites them to join a video call to discuss the conflict in Ukraine. Once the victim has responded, the attacker sends an 0Auth phishing URL that they claim is required to join the video call. The victim is asked to return the Microsoft-generated OAuth code back to the attacker." This is the copy and paste trick. "If the victim shares the OAuth code, the attacker is then able to generate an access token that ultimately allows access the victim’s M365 account.”
This is an OAuth phishing lure, leveraging trusted app login workflows, and is yet another illustration as to why you not only need hardware-linked accreditation but also must never share codes or browser URLs in dialog boxes opened via links. Instructions to copy and paste codes or strings of text are dangerous, just as with ClickFix attacks. If you ever see such an instruction, it’s an attack. It really is that simple.
And with perfect timing, email specialist SlashNext has just warned of another “phishing kit built to defeat 2FA.” Dubbed SessionShark, the new attack “is an adversary-in-the-middle (AiTM) phishing kit that can steal valid user session tokens to defeat two-factor authentication on Office 365 accounts.” The team found this via an ad, promoting the kit for purported educational purposes. Okay, sure. “The ad explicitly claims the service can ‘intercept sensitive data, including login credentials and session cookies,’ enabling an attacker to hijack authenticated sessions.”
While this is initially a Microsoft account attack, the advanced techniques and obfuscation measures should be a warning to users of all major platforms as to new tactics deployed by attackers and what might be hitting your phone or computer soon.
SlashNext says “Beyond antibot measures, SessionShark touts ‘evad[ing] detection by major threat intelligence feeds and anti-phishing systems’. The developers have added custom scripts and HTTP headers to minimize visibility to security scanners. This likely means the kit might block known threat intel crawlers, use evasive HTML/JS code (to prevent signature-based detection), or dynamically change content. Such stealth features imply that the kit was tested against security solutions to reduce chances of being flagged, demonstrating the growing sophistication of criminal phishing tools.”
As for the educational premise, the team dismisses this out of hand. “This duplicitous marketing strategy is common in underground forums – it provides a thin veneer of deniability (to avoid forum bans or legal issues) but fools no one about the true purpose. Phrases like ‘for educational purposes’ or ‘ethical hacking perspective’ in the ad copy are a wink and nod to buyers that this is a hacking tool, not a classroom demo.”
Whether using a Google or Microsoft, account, set up passkeys and never enter your password credentials into a webpage unless you’ve accessed a main sign-in page using usual channels. Whatever the lure. Do not use SMS 2FA on your account, instead set up an authenticator app as a minimum. And never paste text strings or URLs or codes from one app into another or a sign-in dialog box if asked. There is never a reason to do so.
These simple measures and sensible precautions mean you get to keep your Gmail account and your Microsoft email account where they should be — with you.
