Google Sites, the free web-based platform for creating websites that debuted in 2008, is re-emerging as a powerful threat vector for phishing attacks.

In a thread posted to X, software developer Nick Johnson revealed that attackers have turned to the 17-year-old platform for a highly effective phishing attack. His post received over 2 million views in a matter of hours, emphasizing just how unnoticed this method is.

Johnson, the founder and lead developer of Ethereum Name Service, came across the phishing attack in April 2025 after receiving an email to his Gmail inbox that appeared to come from the search engine behemoth itself.

Phishing attacks run through Google Sites aren’t entirely new, though. A few years ago, Mashable reported on the platform being a hotbed for scammers. But the difference now is that attackers are adding a much higher level of sophistication to trick victims.

As noted by Johnson, attackers are exploiting a security vulnerability in Google’s infrastructure to pull off this phishing attack with ease.

Gmail Phishing Attack: Example Using Google Sites

Johnson began his examination with the email that established this phishing attack. He received it from the standard no-reply@google.com address, and it passed authentication without any warnings from Gmail.

However, it was actually mailed by a privateemail.com address, which doesn’t belong to Google.

In the body of the phishing email, the sender claims that a subpoena was served on Google, in which the company needs to produce a copy of the recipient’s Google Account content. It then lists out a support reference number and includes a link to the support case.

Notice anything suspicious? Perhaps, but the unsuspecting eye wouldn’t. Take a look at the URL: The domain is sites.google.com, which indicates this is a Google Site-hosted page rather than one belonging to Google itself. But again, most people wouldn’t think twice about this.

The email concludes with a request for the recipient to “examine the case materials or take measures to submit a protest” through the link provided.

Clicking the link takes you to a page that lists the reference number and displays “IN PROGRESS” and “URGENT” labels to build pressure.

Johnson hit the “Upload additional documents” and “View case” buttons, both of which direct the victim to a login page that’s identical to Google’s real version. It’s an obvious attempt to steal login credentials and use them to compromise the victim’s Google Account.

In his findings, Johnson points to Google Sites’ support of “arbitrary scripts and embeds” as the issue. He also notes that Google doesn’t offer a way to report abuse on the platform.

How a Gmail & Google Sites Phishing Attack Works

Although AI phishing is surging today, creating a Gmail and Google Sites phishing attack still requires some manual work. But it’s far from arduous, and it’s highly effective in stealing Google Account login credentials from victims.

Johnson laid out the workflow for an attacker to deploy a Gmail and Google Sites phishing attack in his post to X, which we’ve summarized below:

1. Register Domain: The attacker registers a domain and creates a Google Account for it, typically with me@domain for the email address.
2. Connect OAuth Application: An OAuth application is made, with the name being the entire text of the phishing message. After granting access to the Google Account, it generates the security alert message. Johnson states that, “Since Google generated the email, it’s signed with a valid DKIM key and passes all the checks.”
3. Forward Message: With the security alert email created, the attacker forwards this to their victims and goes undetected by Gmail, even appearing in the same thread as legitimate security alerts from Google.

Attackers use ‘me’ in their Google Account because, as Johnson explains, it’s “the shorthand [Gmail] uses when a message is addressed to your email address - avoiding another indication that might send up red flags.”

For a deeper dive into this type of phishing attack, Johnson recommends EasyDMARC’s technical breakdown.

Be on the Lookout: Identify Gmail & Google Sites

Attackers want to steal Google Account credentials, so this phishing attack primarily targets anyone with a personal or professional email address operated through Gmail.

In the example from Johnson’s experience, several discrepancies exist that should make an individual question the legitimacy of the correspondence. First, it’s suspicious that Google — or any company, for that matter — would communicate a legal notice via email.

Second, the phishing email company doesn’t provide any of its other services through Google Sites domains. Google Sites is used exclusively by the general public.

The attacker also included a significant amount of negative space between the top of the email and the bottom, and there it mentions a me@googl-mail-smtp-out-198-142-125-38-prod.net address that doesn’t belong to Google.

This is further confirmed in Gmail’s drop-down panel. Although it says the email is from Google, it was mailed by a privateemail.com address.

Now, if someone managed to miss any of the previous telltale signs of this phishing attack, there are still indicators to tip off suspicion.

Looking at the URL on the fake Google Support page, it says sites.google.com, which we’ve established Google doesn’t use itself. In addition, Google wouldn’t manage legal matters through a web portal.

But, in any case, for those who make it to the fake Google Account sign-in page, notice once again that the URL still belongs to Google Sites.

Awareness is Key to Defeating Phishing Attacks

Every tactic to identify Gmail and Google Sites phishing seems standard, but many individuals and organizations operate with little to no security awareness, leaving them vulnerable to attacks. It takes just one click to compromise sensitive data, and that’s why organizations are investing heavily in next-generation security awareness training and phishing simulations.

Ultimately, the resurgence of phishing using Gmail and Google Sites highlights how attackers continuously adapt, leveraging legitimate platforms in novel ways.

Notice how the sophistication lies not just in the realistic pages created. Attackers are also exploiting Google’s own systems, like OAuth and email authentication, to lend credibility to malicious emails.

So while Google Sites offers ease of use for website creation, its features, combined with a lack of obvious abuse detection and reporting mechanisms noted by Johnson, create an attractive vector for cybercriminals. It’s a stark reminder that vigilance is required across all online interactions, and organizations must prioritize modern security awareness training to help employees spot the subtle, yet critical, red flags indicative of well-crafted attacks.

Get a demo with Adaptive Security to experience why over 100 leading global brands trust our next-generation platform for security awareness training and phishing simulations.