chat
expand_more

Google Mail Merge Notification Used in Phishing Attack

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick...
February 19, 2021

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick unsuspecting users and gain access to entire Google Workspace accounts.

Summary of Attack Target

  • Platform: Google Workspace
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Phishing Attack

It is not uncommon to receive a notification from Gmail regarding a range of different account activities. This attack in particular uses this method by mimicking an automated Gmail message, claiming that a request was made to add an email to the recipient's account.

The attackers pose as an automatic email merger notification, stating that a request was made to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours. If the recipient does not want the account to be merged, they are instructed to click the provided link to decline the request.

The "Decline request" link leads to a fraudulent Google page where the user can either acknowledge or decline the request.

After the recipient makes their choice and clicks the Next button, they are redirected to an impersonated Outlook sign-in page—an interesting tactic given that this email was sent to Google users. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why the Google Impersonation Attack was Effective

The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign-in page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.


Many existing security measures do not properly analyze attack language. Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body, which contains language commonly observed in phishing attacks, and the fact that the email comes from a sender that is not usually seen. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply-to domain. Taken together, these signals indicate that the email is malicious and it is blocked before reaching user inboxes.

To see how Abnormal Security can stop suspicious emails from targeting your employees, request a demo today.

Google Mail Merge Notification Used in Phishing Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B APAC Email Security Threats
Email attacks on APAC organizations, including phishing and BEC, are rising. See why AI-native email security is crucial to countering modern cyber threats.
Read More
B Proofpoint Customer Story 10
Learn how a multinational travel center services provider blocked 1,180+ attacks missed by Proofpoint and reclaimed 450+ SOC hours per month by adding Abnormal.
Read More
B Operating Curves Blog
Explore how operating curves help optimize system performance by visualizing competing metrics, making trade-offs, and achieving efficient resource allocation.
Read More
B SOC Traits
Discover the traits and mindsets that define top SOC analysts, as explored in Season 1 of SOC Unlocked.
Read More
B Punycode Problem Blog
Explore how threat actors exploit Punycode in email attacks and learn how AI-driven solutions can protect against these threats.
Read More
B Product24
Discover how Abnormal transformed 2024 with groundbreaking AI innovations, enhanced cloud and email security solutions, and industry leadership, tackling evolving cyber threats while empowering organizations worldwide to stay secure.
Read More