Update: Republished on April 1 with news of Gmail’s new encryption boost and a question as to whether that solves its biggest problem.
Just days after Google confirmed it is bringing its next AI upgrade to Gmail, with major privacy implications, there’s more good and bad news for the 3 billion users relying on Google to deliver secure, spam-free email to their phones and computers. It turns out that a dangerous email attack has operated under the radar for years — until now.
First to the good news. Google’s tightening restrictions on the mass delivery of spam emails to your inbox is working and it’s having a devastating impact on the industry spawned to plague you with marketing messages. “Over the last year,” website MarTech says the industry has seen “engagement rates (open and click rates, especially) drop considerably. Their emails only show up in the inboxes of people already engaging with the brand. For most subscribers, the emails are getting flagged as spam.”
This is having the desired effect, albeit “for many of these brands, this is the first time they have encountered this issue [and] for brands with a recent history of combatting spam labels, normal mitigation practices have either been unsuccessful or only effective in the short term.” Bad for brands and marketeers, good for email users.
Be warned, though, the industry is shaping new advice to bypass the new measures. “Email deliverability is more of an art than a science,” says Martech. “Ensure your team maintains an open dialogue about strategies to stay out of the spam folder, and test initiatives that have proven effective for similar brands.” And it comes with a list of new tricks and techniques.
Apple’s own spam crackdown has had the same effect, but the Gmail impact is much greater. According to Statista, “Gmail and related e-mail addresses given out by Google positively dominate the U.S. market,” this despite the latest privacy warnings, with its new AI upgrade leaving “many users feeling anxious and appalled at the thought that a generative AI would be reading their personal emails.”
For its part, when asked about the new AI upgrade Google told me “our priority is respecting our users’ privacy while giving them choice and control over their data. To that end, this particular tool is one of the ‘smart features’ that users can control in their personalization settings.” You can read more about those privacy settings.
But Gmail (and other) security restrictions are not bulletproof — far from it. Infloblox warns it “recently discovered a DNS technique used to tailor content to victims.” This works by way of a “phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.” The attacks evade detection by exploiting the DNS over HTTPS (DoH) upgrade, and also a raft of mass emailing spam techniques.
According to the research team, “most of the hyperlinks in the spam emails use domains related to compromised WordPress websites, URL shorteners, or free web hosting.” This includes “abusing legitimate adtech infrastructure to generate redirect links to the phishing webpages. They also exploit open redirect vulnerabilities on DoubleClick, an advertising network owned by Google.”
As Bleeping Computer explains, the operation dubbed Morphing Meerkat “can impersonate more than 114 email and service providers, including Gmail, Outlook, Yahoo, DHL, Maersk, and RakBank, delivering messages with subject lines crafted to prompt urgent action like ‘Action Required: Account Deactivation’.”
One devious twist in these attacks is that after serving malicious email login pages to steal credentials, an attack then redirects to real email login pages to avoid suspicion and leave a user thinking they had mistyped their credentials. The days of passwords for account access must now come to an end. While two-factor authentication (2FA) helps, in its simplest forms it is vulnerable. All Gmail users should setup passkeys and ensure the strongest form of 2FA is is in place for passwords left in place as a backup.
Infoblox says “the threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram.” Alarmingly this has operated under everyone’s radar. “Although there have been reports of individual instances related to this activity, we have not seen reporting on this PhaaS and MX record technique, despite it being in operation for years.”
Talking security, Google confirmed (on April 1) that it is bringing a form of end-to-end encryption to Gmail. It’s the 21st anniversary of the message platform’s launch, and “we wanted to do something special“ for its birthday. Google will now “enable enterprise users to send E2EE messages to any user on any email inbox with just a few clicks.”
This is an odd one for Google to bring to Gmail now, and it’s wrapped in small print. To begin with, in beta, users with enterprise Workspace will be able to “send E2EE emails to Gmail users in your own organization. In the coming weeks, users will be able to send E2EE emails to any Gmail inbox, and, later this year, to any email inbox.”
This is clearly good — end-to-end encryption is always the right answer if available. “While more organizations have real needs for E2EE emails,” Gmail says, “few have the resources to implement [Secure/Multipurpose Internet Mail Extensions] S/MIME. IT teams need to acquire and manage certificates and deploy them to each user, resulting in additional efforts and costs. And end users have to figure out whether they and the recipient have S/MIME configured (few do), and then go through the hassle of exchanging certificates before the encrypted emails can be exchanged. This often results in frustration and the inability to send encrypted emails.”
In other words, full encryption is difficult in email given its open architecture, one of the reasons it remains such a honeypot for threats. Google explains that once fully deployed, “when the recipient is a Gmail user (enterprise or personal), Gmail sends an E2EE email. The email is automatically decrypted in the recipient’s inbox, and the recipient can use Gmail in a familiar way. “ But when the recipient “is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.” This is a great for the odd secure email, but irrelevant for day-to-day.
As such, this is a solution to an email transmission security problem and possibly an additional sender assurance solution, but it doesn’t resolve email’s core weaknesses. As I’ve said repeatedly, email is rife for disruption and innovation, and the hoops needed to jump through to fully encrypt daily traffic essentially proves that point.
All the more reason not to click, download or open unless you’re absolutely sure. And yet another clear warning as to why email with its archaic architecture needs a rethink rather than a series of security upgrades that leave core weaknesses untouched.
