A scam email was sent from a legitimate @google.com address via the Gmail API and passed SPF, DKIM (signed by Google), and DMARC with p=reject. No account was compromised, and there were no phishing links or attachments - just social engineering designed to trigger a reply. This case shows that authentication alone cannot stop abuse when attackers operate through trusted infrastructure.
Someone just sent a scam email from @google[.]com through the Gmail API with DMARC p=reject passed, DKIM signed by Google, and SPF authenticated, bypassing several internal security controls.
Urgency in the subject line, a request to review Q1 ads performance, tailored to the victim's industry, expecting them to reply. No phishing links, payloads, or attachments were inside.
For this scam to work, the threat actor must have access to a @google[.]com mailbox and be able to read incoming replies and continue the conversation.
But this wasn't a classic BEC. No Google account was taken over.
Attacks are getting more sophisticated.
