Avanan’s research on phishing actors abusing Google’s SMTP relay service was featured in Bleeping Computer. In the blog, Avanan describes hackers spoofing Gmail tenants who lack DMARC policy configured with ‘reject detection’ for those domains. The spoofed email bypasses SPF record and is successfully delivered to the victim’s inbox. As Bleeping Computer writes:


Checking the sender's address to spot a malicious spoofing attempt isn't enough against this type of attack, so checking the full headers when you're unsure would be an excellent place to start. Additionally, when links are embedded in the message body, hover over them to check the destination instead of clicking. Sometimes, merely visiting harmful sites is enough for malware to be dropped on your system. Finally, if the message contains any attachments, especially if these are of risky formats, do not download and do not open them.

 Read the rest here