Just days after Google confirmed it is bringing its next AI upgrade to Gmail, with major privacy implications, there’s more good and bad news for the 3 billion users relying on Google to deliver secure, spam-free email to their phones and computers. It turns out that a dangerous email attack has operated under the radar for years — until now.
First to the good news. Google’s tightening restrictions on the mass delivery of spam emails to your inbox is working and it’s having a devastating impact on the industry spawned to plague you with marketing messages. “Over the last year,” industry website MarTech says the industry has seen “engagement rates (open and click rates, especially) drop considerably. Their emails only show up in the inboxes of people already engaging with the brand. For most subscribers, the emails are getting flagged as spam.”
This is having the desired effect, albeit “for many of these brands, this is the first time they have encountered this issue [and] for brands with a recent history of combatting spam labels, normal mitigation practices have either been unsuccessful or only effective in the short term.” Bad for brands and marketeers, good for email users.
Be warned, though, the industry is shaping new advice to bypass the new measures. “Email deliverability is more of an art than a science,” says Martech. “Ensure your team maintains an open dialogue about strategies to stay out of the spam folder, and test initiatives that have proven effective for similar brands.”
Apple’s own spam crackdown has had the same effect, but the Gmail impact is much greater. According to Statista, “Gmail and related e-mail addresses given out by Google positively dominate the U.S. market,” this despite the latest privacy warnings, with its new AI upgrade leaving “many users feeling anxious and appalled at the thought that a generative AI would be reading their personal emails.”
For its part, when asked about the new AI upgrade Google told me “our priority is respecting our users’ privacy while giving them choice and control over their data. To that end, this particular tool is one of the ‘smart features’ that users can control in their personalization settings.” You can read more about those privacy settings.
But Gmail (and other) security restrictions are not bulletproof — far from it. Infloblox warns it “recently discovered a DNS technique used to tailor content to victims.” This works by way of a “phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.” The attacks evade detection by exploiting the DNS over HTTPS (DoH) upgrade.
According to the research team, “most of the hyperlinks in the spam emails use domains related to compromised WordPress websites, URL shorteners, or free web hosting.” This includes “abusing legitimate adtech infrastructure to generate redirect links to the phishing webpages. They also exploit open redirect vulnerabilities on DoubleClick, an advertising network owned by Google.”
As Bleeping Computer explains, the operation dubbed Morphing Meerkat “can impersonate more than 114 email and service providers, including Gmail, Outlook, Yahoo, DHL, Maersk, and RakBank, delivering messages with subject lines crafted to prompt urgent action like ‘Action Required: Account Deactivation’.”
One devious twist in these attacks is that after serving malicious login pages for a user’s email service to steal credentials, an attack can then redirect to the real email login page to avoid suspicion and leave a user thinking they mistyped their credentials.
Infoblox says “the threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram.” Alarmingly this has operated under everyone’s radar. “Although there have been reports of individual instances related to this activity, we have not seen reporting on this PhaaS and MX record technique, despite it being in operation for years.”
All the more reason not to click, download or open unless you’re absolutely sure. And yet another clear warning as to why email with its archaic architecture needs a rethink rather than a series of security upgrades that leave core weaknesses untouched.
