Incident Summary
On November 3, 2025, a Gmail user (alexsmith@gmail.com) received multiple "Delivery Status Notification (DSN) (Failure)" emails containing embedded phishing content. This incident exploits a bounce-based phishing technique, where attackers abuse Google's email delivery failure system to bypass spam filters. The phishing payload mimics an Amazon account update prompt, linking to a malicious S3-hosted site with an obfuscated JavaScript redirect chain designed to evade detection. No OAuth replay was involved; this is purely an Simple Mail Transfer Protocol (SMTP) bounce exploit, as described in Eugen Nikolajev's X post: https://x.com/eugen_nikolajev/status/1984208037348045206.
Status as of November 05, 2025: Active and unmitigated by Google.
Impact: Potential credential theft or malware infection if links are clicked. User reported receiving 3 such emails over 3 days. The payload's redirect chain leads to credential-harvesting or drive-by downloads, with VirusTotal false negatives on the initial URL.
Timeline of Events
-
November 3, 2025, ~16:21 PST: Attacker sends forged email from IP
40.233.10.186toalexsmith@google.com, with envelope senderalexsmith@gmail.com. "alexsmith" is made up username to protect privacy of user who reported this. -
Immediate: Google's MX servers (e.g.,
2002:a05:622a:53c7:b0:4ed:637f:6cca) process and fail delivery, generating DSN (Delivery Status Notification). -
16:21:36 PST: DSN delivered to
alexsmith@gmail.comvia Google's internal routing. - Post-Incident: User forwards email; phishing link vanishes in rendered view due to client sanitization (small note: this is a security feature, but raw source retains it).
- Ongoing: Similar incidents reported in X threads from October 2025.
Root Cause Analysis
The root cause is Google's handling of bounces for non-existent @google.com addresses. Attackers forge the envelope sender to the victim's @gmail.com, triggering a trusted DSN (Delivery Status Notification) that embeds the original phishing message. Key enablers:
- SPF softfail ignored for inbound mail to Google's domain.
- DSNs are DKIM-signed by Google, passing all authenticity checks.
- Gmail renders nested Multipurpose Internet Mail Extensions (MIME) parts inline without aggressive scanning.
No user error; this is a systemic vulnerability in SMTP (Simple Mail Transfer Protocol) bounce mechanics.
Exploitation of Return-Path
The Return-Path header (which reflects the SMTP envelope sender) is the key exploit vector. In the inner message, attackers forge it as the victim's address (<alexsmith@gmail.com>). This tricks Google's system into bouncing the DSN back to the victim, embedding the phishing payload in a trusted, authenticated email. The outer DSN sets Return-Path: <> (empty) to prevent loops, but the inner forgery ensures delivery to the target. This abuse of envelope vs. header sender allows spam to masquerade as a legitimate bounce from Google's daemon.
Detailed Header Breakdown
Below is a line-by-line analysis of the email headers, divided into outer DSN and inner phishing message. Headers are quoted exactly (with sensitive addresses replaced). We've listed key ones with explanations for clarity.
Outer DSN Headers (Bounce Notification)
-
Delivered-To: alexsmith@gmail.com
Analysis: Final recipient; confirms delivery to victim's Gmail. -
Received: by 2002:a05:6022:a199:b0:e4:7068:2b7b with SMTP id cy25csp780589lab; Mon, 3 Nov 2025 16:21:36 -0800 (PST)
Analysis: Google's internal relay; timestamp matches incident. -
X-Received: by 2002:a05:622a:1823:b0:4b6:299d:dfe4 with SMTP id d75a77b69052e-4ed30debddbmr189280201cf.32.1762215696469; Mon, 03 Nov 2025 16:21:36 -0800 (PST)
Analysis: Another internal hop; Unix timestamp (1762215696469) for tracking. -
ARC-Seal: i=1; a=rsa-sha256; t=1762215696; cv=none; d=google.com; s=arc-20240605; b=...
Analysis: Authenticated Received Chain seal; verifies integrity from Google's side. -
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=... bh=... b=...
Analysis: Signs the message body; ensures no tampering post-Google. -
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass ... spf=none ... dmarc=pass ... dara=pass
Analysis: Auth results: DKIM passes for googlemail.com; SPF none (expected for daemon); DMARC pass on header.from. -
Return-Path: <>
Analysis: Empty to prevent bounce loops; standard for DSNs. This is set by Google to avoid further bounces, contrasting with the forged inner Return-Path. -
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id ... for <alexsmith@gmail.com> (Google Transport Security); Mon, 03 Nov 2025 16:21:36 -0800 (PST)
Analysis: Ingress from Google's sorter; TLS secured. -
Received-SPF: none (google.com: postmaster@mail-sor-f65.google.com does not designate permitted sender hosts) client-ip=209.85.220.65;
Analysis: SPF none; internal sender not SPF-designated, but trusted. -
Authentication-Results: mx.google.com; dkim=pass ... spf=none ... dmarc=pass ... dara=pass
Analysis: Repeats auth checks; all pass for the DSN. -
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1762215696; x=1762820496; dara=google.com; h=... bh=... b=...
Analysis: Google's DKIM signature; validates the DSN content. -
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762215696; x=1762820496; h=... bh=... b=...
Analysis: Additional Google signature; reinforces authenticity. -
X-Gm-Message-State: AOJu0YwMTuvC9B6lJHFNXkusP5ekXC7TSVRzx1PKQ4sfonAPPuJGC0Q5 Po9mcD52wqi44vWdghKmxoyPfHtEKeLFja9KQzaOWMJFt/62Nyo36VIr/nJcv7fBcvd2uMQQG5u z4LNL7IcrtQZk30buTkpU3gCAAzRAGUSq39I6q4eO5LXLsgS7DgxVK1E2Pg==
Analysis: Internal Google state; used for anti-abuse tracking. -
X-Google-Smtp-Source: AGHT+IHsfTGbTrbU9JaQ2zOmikOn/g/COSVgAEnqpfmPgLzP/5fgdsw835DDonKpd8R3kc74D80ZkCNcwbsfE+KYehU4lysM6Zlba3U=
Analysis: SMTP source tracking; obfuscated for security. -
X-Received: by 2002:a05:622a:53c7:b0:4ed:637f:6cca with SMTP id d75a77b69052e-4ed637f747emr9824301cf.54.1762215696243; Mon, 03 Nov 2025 16:21:36 -0800 (PST)
Analysis: Final internal receive; ties to bounce generation. -
Content-Type: multipart/report; boundary="000000000000979a410642b9d026"; report-type=delivery-status
Analysis: MIME type for DSN; contains report, status, and original message. -
To: alexsmith@gmail.com
Analysis: Victim's address. -
Received: by 2002:a05:622a:53c7:b0:4ed:637f:6cca with SMTP id d75a77b69052e-4ed637f747emr10289581cf.54; Mon, 03 Nov 2025 16:21:36 -0800 (PST)
Analysis: Duplicate receive; likely for attachment handling. -
Return-Path: <>
Analysis: Repeated; standard. -
Auto-Submitted: auto-replied
Analysis: Indicates automated response; helps filters classify as non-spam. -
Message-ID: <69094710.050a0220.2271ca.30a8.GMR@mx.google.com>
Analysis: Unique ID generated by Google. -
Date: Mon, 03 Nov 2025 16:21:36 -0800 (PST)
Analysis: Bounce timestamp. -
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Analysis: Legitimate sender; key to trust. -
Subject: Delivery Status Notification (Failure)
Analysis: Standard failure subject; appears benign. -
References: <vl62l1tgb8spxb9+px2st+g@mail.gmail.com>
Analysis: References inner message ID. -
In-Reply-To: <vl62l1tgb8spxb9+px2st+g@mail.gmail.com>
Analysis: Threads to forged original. -
X-Failed-Recipients: alexsmith@google.com
Analysis: Specifies failed address; core trigger. -
MIME-Version: 1.0
Analysis: Standard MIME declaration.
MIME Parts and Body Analysis
-
--000000000000979a410642b9d026: Outer boundary; contains related and alternative parts. -
Text/Plain and Text/HTML Body: User-friendly failure message: "Address not found" with link to
support.google.com. Includesicon.pngattachment (base64 PNG of error icon). -
Message/Delivery-Status: Reports failure: "The email account that you tried to reach does not exist." Diagnostic code
5.1.3. - Message/Global (Inner Phishing Message): The embedded original; analyzed below.
Inner Phishing Message Headers
-
X-Google-Smtp-Source: AGHT+IE8W4/xS2C90t+kz9vizuHFu9FjQSlwLI0BcVAmwa28rSoLr+joqucXrmujdxTudQoZ9ETf
Analysis: Internal tracking for inner message. -
X-Received: by 2002:a05:622a:53c7:b0:4ed:637f:6cca with SMTP id d75a77b69052e-4ed637f747emr9823481cf.54.1762215695326; Mon, 03 Nov 2025 16:21:35 -0800 (PST)
Analysis: Receive timestamp; one second before outer. -
ARC-Seal: i=1; a=rsa-sha256; t=1762215695; cv=none; d=google.com; s=arc-20240605; b=...
Analysis: ARC for inner; signed by Google during processing. -
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=... bh=... b=...
Analysis: Signs inner body. -
ARC-Authentication-Results: i=1; mx.google.com; spf=softfail ...
Analysis: SPF softfail: Domain doesn't designate attacker's IP (40.233.10.186). -
Return-Path: <alexsmith@gmail.com>
Analysis: Forged to victim; this is the core exploit—causes the bounce to be routed back to the victim, delivering the phishing in a trusted DSN wrapper. -
Received: from maracana.huaze.com ([40.233.10.186]) by mx.google.com with ESMTPS id ... for <alexsmith@google.com> (version=TLS1_2 ...); Mon, 03 Nov 2025 16:21:35 -0800 (PST)
Analysis: Attacker's server; compromised subdomain of huaze.com. -
Received-SPF: softfail (google.com: domain of transitioning alexsmith@gmail.com does not designate 40.233.10.186 as permitted sender) client-ip=40.233.10.186;
Analysis: Confirms forgery; softfail allows processing. -
Authentication-Results: mx.google.com; spf=softfail ...
Analysis: Repeats SPF softfail. -
Date: Sat, 9 Aug 2025 16:00:49 -0700
Analysis: Forged date; backdated to evade filters. -
Subject:
Analysis: Empty; reduces suspicion. -
From: "Suggestions d’ami(e)s " <cie7zs1e36@7w8wo.net>
Analysis: Fake sender; unrelated domain. -
MIME-Version: 1.0
Analysis: Standard. -
Content-Type: text/html; charset="utf-8"k
Analysis: HTML payload; typo in charset ("utf-8"k). -
Message-ID: <vl62l1tgb8spxb9+px2st+g@mail.gmail.com>
Analysis: Forged Gmail-style ID. -
X-678680: 550372498
Analysis: Custom tracking; likely attacker-specific.
Inner Body Analysis
-
Phishing Content: HTML with link to
https://wroldcupfire.s3.amazonaws.com/amazon.html?utm_source=44329&sogiking=statistics&utm_medium=550372498_260506_678640(fake cloud storage storage warning). Includes image src "https://s3.us-east-1.amazonaws.com/wroldcupfire/nike.png#https://bbc.com/tv161..php"" with click map, except this image didn't load in the Gmail mobile app. -
Evasion Tricks: Massive
<p style="height:90000px">to scroll-hide; blended Substack-like HTML for legitimacy. The link appears only after scrolling in mobile views (see screenshots). -
JavaScript Redirect Chain: The landing page contains obfuscated JS that parses URL parameters and hash to redirect:
- Extracts search/hash params; defaults to false if short/null.
- Checks for specific patterns (e.g., '?c=' for google.fr, 'ptm-cadzu' otherwise).
- Builds redirect URL:
https://www.google.frorhttps://wapsir.com/+ dynamic path. - Final chain: wapsir.com →
https://www.virustotal.com/gui/url/6b66217c6002d385a0a7c97a25f3dd73e4b7c261e99c933c8d09ec06081efff4/details(11/98 malicious) →https://www.sqlwe.com/25W2WN3T/7HN5B5X9/?sub1=149&sub2=44329_0_135&sub3=550372498_260506_678640(blank page, likely payload loader).
VirusTotal Analysis: Initial S3 URL reports clean (false negative). Redirect to wapsir.com flagged as malicious (11/98 engines). Evasion via unique per-click params (e.g., utm_source=44329) or referrer checks, causing inconsistent scans.
Mitigation Steps
- Immediate: Mark as phishing; avoid links. Use URL scanners before clicking.
- User-Level: Check URLs before opening, use a password manager and 2FA.
- Google-Level: Reject softfail SPF for @google.com; strip DSN attachments; enhance JS scanning in previews.
Related: OAuth Replay Phishing
While not used here, a different Google exploit involves replaying OAuth security alerts. For details, see Nick Johnson's X post: https://x.com/nicksdjohnson/status/1912439023982834120?s=46 and EasyDMARC's analysis.
Comments
0 comments
Please sign in to leave a comment.