Google has issued a rare, global warning to its 3 billion Gmail users about a brand‑new phishing campaign so advanced it bypasses the platform’s own security checks. Attackers are exploiting legitimate Google services to send convincing “no‑reply@google.com” emails that falsely claim law‑enforcement subpoenas or account suspensions. Security analysts first sounded the alarm when a Reddit thread exposed dozens of user reports.
Beware of emails from “no‑reply@google.com” asking you to upload documents or face account suspension—this is NOT legit. https://twitter.com/nicksdjohnson/status/1652345678901234567— Nick Johnson (@nicksdjohnson) April 16, 2025
Attackers are using Google Sites to host fake login portals, tricking users into believing they’re on an official “accounts.google.com” page. In reality, the malicious pages load from “sites.google.com” domains—making the scam nearly invisible to spam filters. UNILAD breaks down how the emails pass DKIM checks and slip into inboxes unflagged.
Forbes’ cybersecurity expert Davey Winder warns that phishing kits for this scam can be bought online for as little as $25, lowering the barrier for opportunistic hackers. Forbes details the economics behind these phishing-as-a-service operations.
AOL News reports that several high‑profile Gmail accounts were compromised this week, including journalists and NGO workers who received the fake subpoenas. After entering their credentials, victims found their entire inbox exposed and two‑factor settings disabled—clear signs of a credential‑harvesting breach. AOL News shares first‑hand accounts of the fallout.
Just lost access to my work Gmail after clicking a “legal request” link—it was a trap. Google needs to shut this down NOW. https://twitter.com/CyberSleuth/status/1653456789012345678— Cyber Sleuth (@CyberSleuth) April 21, 2025
Google spokesperson Maria Lopez told Reuters that the company has deployed patches to prevent further abuse of its Sites platform and is urging all users to enable passkeys and hardware two‑factor authentication for ironclad protection.
GB News notes that, despite Google’s fixes, users should manually verify any unexpected security alerts by visiting “myaccount.google.com” directly rather than clicking email links. GB News outlines the steps to audit active sessions and revoke unauthorized access.
Cybersecurity experts recommend these immediate actions: enable 2FA with a physical security key, review connected apps in your Google Account settings, and delete any recent “urgent” emails purportedly from Google without opening them. As millions change passwords in panic, the incident underscores a sobering truth—no inbox is too secure for a well‑crafted phishing exploit.
