Google has fixed the bug affecting Gmail and G Suite that was discovered by the security researcher Allison Husain. The bug allowed attackers to send spoofed emails to other Google users and enterprise customers. Husain stated, “Both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages.” The cause of the issue was “missing verification when configuring mail routes,” according to Husain.
“This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google’s backend to send mail from their domain,” Husain explained. “Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often.”