Researchers have discovered a series of major security flaws in Apple AirPlay. They’ve dubbed this family of vulnerabilities – and the potential exploits based on them – “AirBorne”. The bugs can be leveraged individually or in combinations to carry out wireless attacks on a wide range of AirPlay-enabled hardware.

We’re mainly talking about Apple devices here, but there are also a number of gadgets from other vendors that have this tech built in – from smart speakers to cars. Let’s dive into what makes these vulnerabilities dangerous, and how to protect your AirPlay-enabled devices from potential attacks.

What is Apple AirPlay?

First, a little background. AirPlay is an Apple-developed suite of protocols used for streaming audio and, increasingly, video between consumer devices. For example, you can use AirPlay to stream music from your smartphone to a smart speaker, or mirror your laptop screen on a TV.

All this happens wirelessly: streaming typically uses Wi-Fi, or, as a fallback, a wired local network. It’s worth noting that AirPlay can also operate without a centralized network – be it wired or wireless – by relying on Wi-Fi Direct, which establishes a direct connection between devices.

AirPlay logos for video streaming (left) and audio streaming (right). These should look familiar if you own any devices made by the Cupertino company. Source

Initially, only certain specialized devices could act as AirPlay receivers. These were AirPort Express routers, which could stream music from iTunes through the built-in audio output. Later, Apple TV set-top boxes, HomePod smart speakers, and similar devices from third-party manufacturers joined the party.

However, in 2021, Apple decided to take things a step further – integrating an AirPlay receiver into macOS. This gave users the ability to mirror their iPhone or iPad screens on their Macs. iOS and iPadOS were next to get AirPlay receiver functionality – this time to display the image from Apple Vision Pro mixed-reality headsets.

AirPlay lets you stream content either over your regular network (wired or wireless), or by setting up a Wi-Fi Direct connection between devices. Source

CarPlay, too, deserves a mention, being essentially a version of AirPlay that’s been adapted for use in motor vehicles. As you might guess, the vehicle’s infotainment system is what receives the stream in the case of CarPlay.

So, over two decades, AirPlay has gone from a niche iTunes feature to one of Apple’s core technologies that underpins a whole bunch of features in the ecosystem. And, most importantly, AirPlay is currently supported by hundreds of millions, if not billions, of devices, and many of them can act as receivers.

What’s AirBorne, and why are these vulnerabilities a big deal?

AirBorne is a whole family of security flaws in the AirPlay protocol and the associated developer toolkit – the AirPlay SDK. Researchers have found a total of 23 vulnerabilities, which, after review, resulted in 17 CVE entries being registered. Here’s the list, just to give you a sense of the scale of the problem:

1. CVE-2025-24126
2. CVE-2025-24129
3. CVE-2025-24131
4. CVE-2025-24132
5. CVE-2025-24137
6. CVE-2025-24177
7. CVE-2025-24179
8. CVE-2025-24206
9. CVE-2025-24251
10. CVE-2025-24252
11. CVE-2025-24270
12. CVE-2025-24271
13. CVE-2025-30422
14. CVE-2025-30445
15. CVE-2025-31197
16. CVE-2025-31202
17. CVE-2025-31203

You know how any serious vulnerability with a modicum of self-respect needs its own logo? Yeah, AirBorne’s got one too. Source

These vulnerabilities are quite diverse: from remote code execution (RCE) to authentication bypass. They can be exploited individually or chained together. So, by exploiting AirBorne, attackers can carry out the following types of attacks:

• RCE – even without user interaction (zero-click attacks)
• Man-in-the-middle (MitM) attacks
• Denial of service (DoS) attacks
• Sensitive information disclosure

Example of an attack that exploits the AirBorne vulnerabilities

The most dangerous of the AirBorne security flaws is the combination of CVE-2025-24252 with CVE-2025-24206. In concert, these two can be used to successfully attack macOS devices and enable RCE without any user interaction.

To pull off the attack, the adversary needs to be on the same network as the victim, which is realistic if, for example, the victim is connected to public Wi-Fi. In addition, the AirPlay receiver has to be enabled in macOS settings, with Allow AirPlay for set to either Anyone on the Same Network or Everyone.

The researchers carried out a zero-click attack on macOS, which resulted in swapping out the pre-installed Apple Music app with a malicious payload. In this case, it was an image with the AirBorne logo. Source

What’s most troubling is that this attack can spawn a network worm. In other words, the attackers can execute malicious code on an infected system, which will then automatically spread to other vulnerable Macs on any network patient zero connects to. So, someone connecting to free Wi-Fi could inadvertently bring the infection into their work or home network.

The researchers also looked into and were able to execute other attacks that leveraged AirBorne. These include another attack on macOS allowing RCE, which requires a single user action but works even if Allow AirPlay for is set to the more restrictive Current User option.

The researchers also managed to attack a smart speaker through AirPlay, achieving RCE without any user interaction and regardless of any settings. This attack could also turn into a network worm, where the malicious code spreads from one device to another on its own.

Hacking an AirPlay-enabled smart speaker by exploiting AirBorne vulnerabilities. Source

Finally, the researchers explored and tested out several attack scenarios on car infotainment units through CarPlay. Again, they were able to achieve arbitrary code execution without the car owner doing anything. This type of attack could be used to track someone’s movements or eavesdrop on conversations inside the car. Then again, you might remember that there are simpler ways to track and hack cars.

Hacking a CarPlay-enabled car infotainment system by exploiting AirBorne vulnerabilities. Source

Staying safe from AirBorne attacks

The most important thing you can do to protect yourself from AirBorne attacks is to update all your AirPlay-enabled devices. In particular, do this:

• Update iOS to version 18.4 or later.
• Update macOS to Sequoia 15.4, Sonoma 14.7.5, Ventura 13.7.5, or later.
• Update iPadOS to version 17.7.6 (for older iPads), 18.4, or later.
• Update tvOS to version 18.4 or later.
• Update visionOS to version 2.4 or later.

As an extra precaution, or if you can’t update for some reason, it’s also a good idea to do the following:

1. Disable the AirPlay receiver on your devices when you’re not using it. You can find the required setting by searching for “AirPlay”.

How to configure AirPlay in iOS to protect against attacks that exploit the AirBorne family of vulnerabilities

2. Restrict who can stream to your Apple devices in the AirPlay settings on each of them. To do this, set Allow AirPlay for to Current User. This won’t rule out AirBorne attacks completely, but it’ll make them harder to pull off.

How to configure AirPlay in macOS to protect against attacks that exploit the AirBorne family of vulnerabilities

Install a reliable security solution on all your devices. Despite the popular myth, Apple devices aren’t cyber-bulletproof and need protection too.

What other vulnerabilities can Apple users run into? These are just a few examples:

• SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos
• Banshee: A stealer targeting macOS users
• How to snoop on Apple Vision Pro user passwords
• Are Macs safe? Threats to macOS users
• A matter of triangulation

Kaspersky official blog – ​Read More

When Microsoft first announced its “photographic memory” Recall feature for Copilot+ PCs a year ago, cybersecurity experts were swift in sounding the alarm. Recall’s many flaws posed a serious threat to privacy, prompting Microsoft to postpone its release for further refinement. The updated Recall came to Windows Insider Preview builds in April 2025, and was rolled out widely in May on devices equipped with the necessary hardware. The essence remains the same: Recall memorizes all your actions by continuously taking screenshots and using OCR to analyze their content. However, with the latest update, the security of this data has been significantly enhanced. How much difference does this actually make? And is the convenience of Recall really worth the potential loss of control over your personal data?

What’s new in Recall’s second coming

Since the initial announcement, which we covered in detail, Microsoft has addressed several key criticisms raised by cybersecurity professionals.

First, Recall now only activates with user permission during the initial system setup. The interface doesn’t manipulate users into agreeing with visual tricks like highlighting the “Yes” button.

Second, Recall’s database files are now encrypted, with key storage and cryptographic operations handled by the hardware-based TPM (Trusted Platform Module), making their extraction significantly more difficult.

Third, a special filter attempts to prevent saving screenshots or text when the screen contains potentially sensitive information — a private browser window, a payment data input form, password manager cards, and so on. Note it only “attempts”: testers have already reported numerous instances where confidential data slipped through the filter and ended up in the OCR database.

Ars Technica highlights several other positive changes:

• Recall is enabled for each PC user individually, rather than everyone at once.
• Recall can be uninstalled completely.
• A Microsoft account isn’t required.
• No internet connection is needed — all data is processed locally.
• To initially launch Recall, BitLocker disk encryption and Windows Hello biometric authentication (face or fingerprint recognition) must be enabled.
• Windows Hello authentication is required every time the Recall search is used.

Why Recall still poses risks

Microsoft has indeed put some effort into responding to the criticism. However, the current version of Recall still has a number of issues.

First, biometric authentication is only required during the initial setup of Recall. For subsequent launches, the AI assistant will also ask to confirm your identity, but presenting your face or fingerprint is no longer necessary. A regular Windows PIN will suffice, and it’s relatively easy for someone to take a peek at, or guess, your PIN, no matter whether you’re at home or at work. One reviewer admits to asking his girlfriend to find a screenshot of a specific Signal chat on his computer — she guessed the password and found the screenshot in just five minutes.

Second, Recall can also be re-activated without biometrics. If the account owner tried Recall but then disabled it, anyone who knows the PIN can re-enable screenshot capture and smart search. All that’s left is to wait a little while, log back in, and browse the results.

Third, as mentioned, automatic filtering of sensitive data is unreliable. In theory, Recall doesn’t take screenshots in many high-risk scenarios: when a browser window is opened in private mode, when remote access to another desktop is active, when entering payment info or passwords, and also on additional inactive displays and desktops. In practice, these situations aren’t always recognized — for example, the filter fails to detect the private mode in not-so-common browsers (such as Vivaldi) and remote desktops, including those accessed with the hugely popular AnyDesk.

Finally — and this deserves a whole category of its own — Recall meticulously logs the computer owner’s interactions with other users, potentially violating both their privacy rights and the data retention policies of messaging and collaboration tools. For example, if the computer owner is in a Zoom or Teams call with automatic transcription enabled, Recall will save a full recording of the call with a transcript of who said what. If a self-destructing WhatsApp or Signal chat is open on screen, Recall will save it anyway, despite the chat’s privacy policies. Photos and videos intended for one-time viewing will also be stored if just one person in the conversation uses Recall.

All of this matters in two dangerous scenarios: (i) when someone who knows (or can guess) the PIN gains unauthorized physical access to the computer; and (ii) when an attacker exploiting Windows vulnerabilities gains remote access to it. Year after year, despite the tightening of security measures, hackers keep finding ways to elevate privileges on compromised machines and exfiltrate information — even encrypted data.

Impact on performance and battery life

Although Recall was originally designed for high-performance PCs equipped with a dedicated chip for AI computing (NPU) — only found in models released over the past 12 months — the capture and processing of screenshots can still sometimes interfere with the user experience in such powerful PCs. This is particularly noticeable when playing games, as Recall diligently takes screenshots and records in-game dialogue, consuming significant memory and computing resources, thus loading the NPU by up to 80%! Even when the device isn’t plugged in (but the battery is almost fully charged), Recall continues working, draining the battery much faster than usual.

Who should disable or remove Recall?

Microsoft is now offering users a fair choice: enable Recall, ignore it, or completely remove it from the computer. This is a much better approach than previous campaigns to push Edge, Cortana, or Windows Media Player. If you see a screen prompting enabling Recall, consider whether you fall into one of these categories:

• Anyone working with trade secrets, other people’s confidential data, or personal data in general (e.g., lawyers, doctors, and other professionals).
• Active users of video conferencing, remote tech-support services, or other tech involving the handling of others’ information.
• People engaged in particularly private correspondence — especially using secure messengers and disappearing chats/messages.
• Individuals living with jealous or nosy family members, or working in an office with overly curious colleagues.

For all these users, we recommend steering clear of Recall — or, better yet, removing it entirely.

How to disable or remove Recall

To disable Recall:

1. Open Settings in the Windows Start menu and select Privacy & security.
2. Within Privacy & security, find the Recall & snapshots subsection.
3. In this subsection, toggle off Save snapshots, and click Delete snapshots to erase any data already collected.

How to disable Microsoft Copilot+ Recall and delete any stored data. Source

To remove Recall completely:

1. In the Windows Start menu search bar, type Turn Windows features on or off.
2. In the retro-looking window that opens, locate the Recall entry.
3. Uncheck the box next to this item and click OK.

After this, Recall will be removed from your PC, and its settings will no longer appear under Privacy & security.

How to remove Microsoft Copilot+ Recall from your computer completely. Source

How to configure Recall if you decide to try it anyway

If you don’t fall into any of the categories above and really want to Recall something like “the photo where Jane’s cat is lying on the blue sofa”, we recommend taking a few precautions and adjusting your settings for better security:

• Disable less secure sign-in methods in Windows, such as pattern locks and PINs. Use only a strong password and biometric authentication.
• Manually add to Recall’s exclusion list all messengers you use for confidential correspondence, password managers, finance apps and websites, and any other apps or websites that may contain private information. For ethical reasons, it’s a good idea to exclude all video conferencing apps. For performance reasons, exclude all games.
• Set a screenshot retention period that suits your needs, keeping it to a minimum. Possible options range from 30 to 180 days.
• Periodically — ideally a few times a week — check Recall to see which apps and sites were recently captured. This will help you identify and manually delete or filter out any sources of sensitive information you may have missed earlier.

Regardless of your Recall settings or whether it’s installed at all, the two most common data leak scenarios are direct theft from your device by infostealer malware, and entering your credentials on a phishing site. To guard against these risks, be sure to use a comprehensive cybersecurity solution, such as Kaspersky Premium.

Under the pretense of user convenience — and sometimes without any pretense at all — various organizations collect information about you that you may not even be aware of. How? Read here:

• Turning purple: how visited links threaten your privacy
• How to track anyone via the Find My network
• How smartphones build a dossier on you
• Geolocation data brokers: What they do and what happens when they leak
• How to protect yourself from Bluetooth stalking and more

Kaspersky official blog – ​Read More

This year marks the 15^th anniversary of the first guide to implementing the zero trust security concept, which, according to a Gartner survey, almost two-thirds of surveyed organizations have adopted to some extent. Admittedly (in the same Gartner survey), for 58% of them this transition is far from complete, with zero trust covering less than half of infrastructure. Most organizations are still at the stage of piloting solutions and building the necessary infrastructure. To join the vanguard, you need to plan the transition to zero trust with eyes wide open to the obstacles that lie ahead, and to understand how to overcome them.

Zero trust best practices

Zero trust is a security architecture that views all connections, devices, and applications as untrusted and potentially compromised — even if they’re part of the organization’s internal infrastructure. Zero trust solutions deliver continuous adaptive protection by re-verifying every connection and transaction based on a potentially changed security context. This way, companies can mold their information security to the real-world conditions of hybrid cloud infrastructures and remote working.

In addition to the oldest and best-known guidelines, such as Forrester’s first report and Google’s BeyondCorp, the components of zero trust are detailed in NIST SP 800-207 (Zero Trust Architecture), while the separate NIST SP 1800-35B offers implementation recommendations. There are also guidelines that map specific infosec measures and tools to the zero trust methodology, such as CIS Controls v8. CISA offers a handy maturity model, though it’s primarily optimized for government agencies.

In practice, zero trust implementation rarely follows the rule book, and many CISOs end up having to mix and match recommendations from these guidance documents with the guidelines of their key IT suppliers (for example, Microsoft), prioritizing and selecting measures based on their specific situation.

What’s more, all these guides are less than forthcoming in describing the complexities of implementation.

Executive buy-in

Zero trust migration isn’t purely a technical project, and therefore requires substantial support on the administrative and executive levels. In addition to investing in software, hardware, and user training, it demands significant effort from various departments, including HR. Company leadership needs to understand why the changes are needed and what they’ll bring to the business.

To get across the value and importance of a project, the “incident cost” or “value at risk” needs to be clearly communicated on the one hand, as do the new business opportunities on the other. For example, zero trust protection can enable broader use of SaaS services, employee-owned devices, and cost-effective network organization solutions.

Alongside on-topic meetings, this idea should be reinforced through specialized cybersecurity training for executives. Not only does such training instill specific infosec skills, it also allows your company to run through crisis management and other scenarios in a cyberattack situation — often using specially designed business games.

Defining priorities

To understand where and what zero trust measures to apply in your infrastructure, you’ll need a detailed analysis of the network, applications, accounts, identities, and workloads. It’s also crucial to identify critical IT assets. Typically making up just a tiny part of the overall IT fleet, these “crown jewels” either contain sensitive and highly valuable information, or support critical business processes. Consolidating information about IT assets and their value will make it easier to decide which components are most in need of zero trust migration, and which infosec measures will facilitate it. This inventory will also unearth outdated segments of the infrastructure for which migration to zero trust would be impractical or technically infeasible.

You need to plan in advance for the interaction of diverse infrastructure elements, and the coexistence of different infosec measures to protect them. A typical problem goes as follows: a company has already implemented some zero trust components (for example, MFA and network segmentation), but these operate completely independently, and no processes and technologies are planned to enable these components to work together within a unified security scenario.

Phased implementation

Although planning for zero trust architecture is done holistically, its practical implementation should begin with small, specific steps. To win managerial support and to test processes and technologies in a controlled environment, start with measures and processes that are easier to implement and monitor. For example, introduce multi-factor authentication and conditional access just for office computers and the office Wi-Fi. Roll out tools starting with specific departments and their unique IT systems, testing both user scenarios and the performance of infosec tools, all while adjusting settings and policies accordingly.

Which zero trust architecture components are easier to implement, and what will help you achieve the first quick wins depends on your specific organization. But each of these quick wins should be scalable to new departments and infrastructure segments; and where zero trust has already been implemented, additional elements of the zero trust architecture can be piloted.

While a phased implementation may seem to increase the risk of getting stuck at the migration stage and never completing the transition, experience shows that a “big bang” approach — a simultaneous shift of the entire infrastructure and all processes to zero trust — fails in most cases. It creates too many points of failure in IT processes, snowballs the load on IT, alienates users, and makes it impossible to correct any planning and implementation errors in a timely and minimally disruptive manner.

Phased implementation isn’t limited to first steps and pilots. Many companies align the transition to zero trust with adopting new IT projects and opening new offices; they divide the migration of infrastructure into stages — essentially implementing zero trust in short sprints while constantly monitoring performance and process complexity.

Managing identities… and personnel

The cornerstone of zero trust is a mature Identity Access Management (IAM) system, which needs to be not only technically sound but also supported administratively at all times. Data on employees, their positions, roles, and resources available to them must be kept constantly up-to-date, requiring significant support from HR, IT, and the leadership of other key departments. It’s imperative to involve them in building formal processes around identity management, taking care to ensure that they feel personally responsible for these processes. It must be stressed that this isn’t a one-off job — the data needs to be checked and updated frequently to prevent situations such as access creep (when permissions issued to an employee for a one-time project are never revoked).

To improve information security and make zero trust implementation a truly team effort, sometimes it’s even necessary to change the organizational structure and areas of responsibility of employees — breaking down silos that confine people within narrow job descriptions. For example, one large construction company shifted from job titles such as “Network Engineer” and “Server Administrator” to the more generic “Process Engineer” to underscore the interconnectivity of the roles.

Training and feedback

Zero trust migration doesn’t pass unnoticed by employees. They have to adapt to new authentication procedures and MFA tools, learn how to request access to systems that don’t grant it by default be aware that they might occasionally need to re-authenticate to a system they logged in to just an hour ago, and that previously unseen tools like ZTNA, MDM, or EDR (often bundled in a single agent, but sometimes separate), may suddenly appear on their computers. All this requires training and practice.

For each phase of implementation, it’s worth forming a “focus group” of business users. These users will be the first to undergo training and can help refine training materials in terms of language and content, as well as provide feedback on how the new processes and tools are working. Communication with users should be a two-way street: it’s important to convey the value of the new approach, while actively listening to complaints and recommendations to adjust policies (both technical and administrative), address shortcomings, and improve the user experience.

Kaspersky official blog – ​Read More

Imagine receiving an email that says Google has received a subpoena to release the contents of your account. The email looks perfectly “Googley”, and the sender’s address appears legitimate too: no-reply@accounts.google.com. A little unnerving (or maybe panic-inducing?) to say the least, right?

And what luck — the email contains a link to a Google support page that has all the details about what’s happening. The domain name in the link looks legit, too, and seems to belong to Google…

Regular readers of our blog have probably already guessed that we’re talking here about a new phishing scheme. And they’d be right. This time, the scammers are exploiting several genuine Google services to fool their victims and make the emails look as convincing as possible. Here’s how it works…

How phishing email mimics an official Google notification

The screenshot below shows the email that kicks off the attack; and it does a really credible job of pretending to be an alert from Google’s security system. The message informs the user that the company has received a subpoena requesting access to the data in their Google account.

The “from” field contains a genuine Google address: no-reply@accounts.google.com. This is the exact same address Google’s security notifications come from. The email also contains a few details that reinforce the illusion of authenticity: a Google Account ID, a support ticket number, and a link to the case. And, most importantly, the email tells the recipient that if they want to learn more about the case materials or contest the subpoena, they can do so by clicking a link.

The link itself looks quite plausible, too. The address includes the official Google domain and the support ticket number mentioned above. And it takes a savvy user to spot the catch: Google support pages are located at support.google.com, but this link leads to sites.google.com instead. The scammers are, of course, counting on users who either don’t understand such technicalities or don’t notice the word substitution.

If the user isn’t logged in, clicking the link takes them to a genuine Google account login page. After authorizing, they land on a page at sites.google.com, which quite convincingly mimics the official Google support site.

This is what a fake Google Support page linked in the email looks like. Source

Now, it just so happens that the sites.google.com domain belongs to the legitimate Google Sites service. Launched back in 2008, it’s a fairly unsophisticated website builder — nothing out of the ordinary. The important nuance about Google Sites is that all websites created within the platform are automatically hosted on a google.com subdomain: sites.google.com.

Attackers can use such an address to both lull victims’ vigilance and circumvent various security systems, as both users and security solutions tend to trust the Google domain. It’s little wonder that scammers have increasingly been using Google Sites to create phishing pages.

Spotting fakes: the devil’s in the (email) details

We’ve already described the first sign of a dodgy email: the address of the fake support page located at sites.google.com. Look to the email header for more red flags:

Spot the fake: look at the “to” and “mailed-by” fields in the header. Source

The fields to pay attention to are “from“, “to“, and “mailed-by“. The “from” one seems fine: the sender is the official Google email, no-reply@accounts.google.com.

But lo and behold, the “to” field just below it reveals the actual recipient address, and this one sure looks phishy: me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net. The address is trying hard to imitate some technical Google address, but the typo in the company domain name is a dead giveaway. Moreover, it has absolutely no business being there — this field is supposed to contain the recipient’s email.

As we keep examining the header, another suspicious address pops up in the “mailed-by” field. Now, this one is clearly nowhere near Google territory: fwd-04-1.fwd.privateemail[.]com. Yet again, nonsense like this has no place in an authentic email. For reference, here’s what these fields look like in a real Google security alert:

The “to” and “mailed-by” fields in a genuine Google security alert

Unsurprisingly, these subtle signs would likely be lost on the average user — especially when they’re already freaked out by the looming legal trouble. Adding to the confusion is the fact that the fake email is actually signed by Google: the “signed-by” field shows accounts.google.com. In the next part of this post, we explain how the criminals managed to achieve this, and then we’ll talk about how to avoid becoming a victim.

Reconstructing the attack step by step

To figure out exactly how the scammers managed to send such an email and what they were after, cybersecurity researchers reenacted the attack. Their investigation revealed that the attackers used Namecheap to register the (now-revoked) googl-mail-smtp-out-198-142-125-38-prod[.]net domain.

Next, they used the same service again to set up a free email account on this domain: me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net. In addition, the criminals registered a free trial version of Google Workspace on the same domain. After that the scammers registered their own web application in the Google OAuth system, and granted it access to their Google Workspace account.

Google OAuth is a technology that allows third-party web applications to use Google account data to authenticate users with their permission. You’ve likely encountered Google OAuth as a way to authenticate for third-party services: it’s the system you use every time you click a “Sign in with Google” button. Besides that, applications can use Google OAuth to obtain permission to, for example, save files to your Google Drive.

But let’s get back to our scammers. After a Google OAuth application is registered, the service allows sending a notification to the email address associated with the verified domain. Interestingly enough, the administrator of the web application is free to manually enter any text as the “App name” — which seems to be what the criminals exploited.

In the screenshot below, researchers demonstrate this by registering an app with the name “Any Phishing Email Text Inject Here with phishing URLs…”.

Registering a web app with an arbitrary name in Google OAuth: the text of a scam email with a phishing link can be entered as a name. Source

Google then sends a security alert containing this phishing text from its official address. This email goes to the scammers’ email address on the domain registered through Namecheap. This service allows forwarding the received notification from Google to any addresses. All they need do is set a specific forwarding rule and specify the email addresses of potential victims.

Setting up a forwarding rule that allows sending the fake email to multiple recipients. Source

How to protect yourself from phishing attacks like this one

It’s not entirely clear what the attackers were hoping to achieve with this phishing campaign. Using Google OAuth to authenticate doesn’t mean the victim’s Google account credentials are shared with the scammers. The process generates a token that only provides limited access to the user’s account data — depending on the permissions the user authorized and the settings configured by the scammers.

The fake Google Support page the deceived user lands on suggested that the goal was to convince them to download some “legal documents” supposedly related to their case. The nature of these documents is unknown, but chances are they contained malicious code.

The researchers reported this phishing campaign to Google. The company acknowledged this as a potential risk for users and is currently working on a fix for the OAuth vulnerability. However, how long it will take to resolve the issue remains unknown.

In the meantime, here’s some advice to help you avoid becoming a victim of this and other intricate phishing schemes.

• Stay calm if you get an email like this. Begin by carefully examining all the email header fields and comparing them to legitimate emails from Google — you likely have some in your inbox. If you see any discrepancies, don’t hesitate to hit “Delete”.
• Be wary of websites on the google.com domain that are created with Google Sites. Lately, scammers have been increasingly exploiting it for a wide range of phishing schemes.
• As a general rule, avoid clicking links in emails.
• Use a robust security solution that will provide timely warnings about danger and block phishing links.

Follow the links below to read about five more examples of out-of-the-ordinary phishing.

• Turnkey phishing
• Progressive phishing: how PWAs can be used to steal passwords
• Browser-in-the-browser attack: a new phishing technique
• Malware lurking in “official” GitHub and GitLab links
• When two-factor authentication is useless

Kaspersky official blog – ​Read More