chat
expand_more

Google Mail Merge Notification Used in Phishing Attack

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick...
February 19, 2021

When attempting to gain credentials to a Google account, the best brand to impersonate is likely Google. In this account, threat actors sent an urgent account message to trick recipients into inputting their Google credentials, hoping to trick unsuspecting users and gain access to entire Google Workspace accounts.

Summary of Attack Target

  • Platform: Google Workspace
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Phishing Attack

It is not uncommon to receive a notification from Gmail regarding a range of different account activities. This attack in particular uses this method by mimicking an automated Gmail message, claiming that a request was made to add an email to the recipient's account.

The attackers pose as an automatic email merger notification, stating that a request was made to merge the recipient’s email with a specified Gmail account. There is a warning that the request will automatically be processed within twenty-four hours. If the recipient does not want the account to be merged, they are instructed to click the provided link to decline the request.

The "Decline request" link leads to a fraudulent Google page where the user can either acknowledge or decline the request.

After the recipient makes their choice and clicks the Next button, they are redirected to an impersonated Outlook sign-in page—an interesting tactic given that this email was sent to Google users. The recipient is expected to enter their email credentials on a legitimate-looking sign-in page. If the recipient falls victim, the attackers would have access to the victim’s account and other sensitive information.

Why the Google Impersonation Attack was Effective

The email seems convincing because the link in the body of the email leads the recipient to a landing page that looks nearly identical to the Google account sign-in page. If the recipient does not recognize the suspicious URL, they are more likely to fall victim to this attack after seeing the familiar and trusted Google landing page.


Many existing security measures do not properly analyze attack language. Abnormal Security prevented this attack by recognizing a number of signals that when combined, flagged the email as malicious. These signals include the message body, which contains language commonly observed in phishing attacks, and the fact that the email comes from a sender that is not usually seen. Other indicators were the presence of a suspicious link, as well as a mismatch between the sender domain and the reply-to domain. Taken together, these signals indicate that the email is malicious and it is blocked before reaching user inboxes.

To see how Abnormal Security can stop suspicious emails from targeting your employees, request a demo today.

Google Mail Merge Notification Used in Phishing Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More
B 2024 ISC2 Cybersecurity Workforce Study Recap
Explore key findings from the 2024 ISC2 Cybersecurity Workforce Study and find out how SOC teams can adapt and thrive amidst modern challenges.
Read More