The Confidential Mode Message That Had Zero Indicators of Compromise

The notification arrived on a Thursday afternoon. A senior sales engineer at a mid-size cybersecurity SaaS company received what appeared to be a Google Confidential Mode message from a colleague. The display name belonged to a director on the same team. The subject line was casual: "Hi how are you?" The email carried Google branding, a blue "View the email" button, and a standard Gmail footer with privacy policy links.

SPF passed. DKIM passed. DMARC passed. ARC passed. The sending IP belonged to Google. The DKIM signature was valid against gmail.com. Microsoft's composite authentication returned compauth=pass reason=100. The email was, by every technical measure that email gateways evaluate, a legitimate message from Google infrastructure.

It was not from the person it claimed to be.

The Impersonation Nobody Could See in the Headers

The attacker's setup required almost nothing. A free Gmail account. A display name copied character for character from a real employee's profile. And one of Gmail's own features: Confidential Mode.

Google Confidential Mode wraps the actual message behind an access-controlled link. The recipient sees only a notification stating that someone "has sent you an email via Gmail confidential mode," along with a link that works exclusively for their address. The feature was designed for message expiration and forwarding restrictions. In this case, it gave the attacker a layer of obscurity, preventing both the recipient and any scanning infrastructure from evaluating the true message content at delivery time.

From the recipient's perspective, the email was indistinguishable from a real Confidential Mode message sent by their colleague. The display name matched. The Google branding was genuine. The "View the email" link pointed to confidential-mail.google[.]com. The footer linked to myaccount.google[.]com, policies.google[.]com, and support.google[.]com. There was nothing to flag.

How Free Gmail Becomes an Attack Platform

This attack maps to T1566.003 (Phishing: Spearphishing via Service). The attacker did not configure a mail server, register a domain, or set up authentication records. Google handled every layer of infrastructure. The email routed through mail-oa1-x33.google.com, a legitimate Google mail server, into the recipient organization's Microsoft 365 protection stack. The authentication chain was flawless because the chain was real.

The Microsoft Digital Defense Report 2024 documented this trend explicitly: attackers increasingly leverage trusted cloud platforms to bypass domain reputation, URL scanning, and authentication-based filtering. When the sending infrastructure is Google itself, every technical trust signal confirms legitimacy.

The impersonation component maps to T1036.005 (Masquerading: Match Legitimate Name or Location). Unlike homoglyph attacks that substitute Cyrillic characters for Latin ones, this display name was an exact copy. No Unicode tricks, no character substitution. The attacker simply typed the same name into Gmail's account settings. Any sender-name filter relying on string matching would see a perfect match to the known employee, but the underlying email address was an unrelated Gmail account.

The Verizon 2024 DBIR found that 68% of breaches involved a human element. This attack is built entirely on that statistic. There is no malicious payload to analyze, no suspicious domain to blocklist, no credential harvesting page to screenshot. The entire attack surface is the gap between a display name and the email address behind it.

The Zero-IOC Problem

Traditional threat intelligence depends on indicators of compromise: malicious domains, suspicious IPs, known-bad sender addresses, phishing kit fingerprints. This attack had none.

Every URL resolved to a Google-owned domain. The sending IP was Google infrastructure. The return path was a Gmail address. Link scanners flagged every embedded URL as "Clean" because the links genuinely pointed to Google services.

This is the scenario that breaks signature-based and reputation-based detection. The FBI IC3 2024 Annual Report reported $2.77 billion in business email compromise losses, and display name impersonation is one of the simplest BEC entry points. It requires no technical skill, no purchased infrastructure, and no exploit. It requires only knowledge of who works at the target organization and what their name looks like in an inbox.

See Your Risk: Calculate how many threats your SEG is missing

What Caught It

The email was flagged and quarantined within seconds of delivery. Not because of anything in the headers, the links, or the authentication results. Because of behavioral signals that exist outside the email itself.

IRONSCALES adaptive AI evaluated the display name against the organization's known sender relationships. The system recognized the display name as belonging to an internal employee but identified that the underlying email address had never communicated with the organization before. That single mismatch, a known display name from an unknown sender address, triggered escalation.

Community intelligence added a second signal. Resolution data from similar incidents across the IRONSCALES network indicated that Gmail accounts using internal employee display names with Confidential Mode are a recognized social engineering pattern. The community signal reinforced the AI classification with cross-organizational evidence.

The combination produced a 72% confidence phishing classification. One affected mailbox was quarantined automatically. The email never reached a point where the recipient would have been prompted to click "View the email" and engage with whatever content the attacker had placed behind the Confidential Mode wall.

Without behavioral detection, this email sits in the inbox indefinitely. It passes every gateway check, every link scanner, every authentication protocol. The only signal that separates it from a real Confidential Mode message from a colleague is the relationship between the display name and the sending address.

What This Attack Teaches About Detection Gaps

This case strips the problem down to its core: authentication verifies infrastructure, not intent. When the infrastructure is Google, authentication will always pass. When the payload is hidden behind Confidential Mode, content analysis is not possible at delivery time. When every link points to Google, URL scanning is irrelevant.

Security teams dealing with Google Confidential Mode should implement these controls:

1. Flag display-name-to-address mismatches on first-time external Gmail senders. Any inbound email where the display name matches a known internal employee but the sending address is an unfamiliar Gmail account should trigger immediate review. Sender relationship history is the detection surface here. CISA's phishing guidance emphasizes sender verification as a foundational control.

1. Treat Confidential Mode as an inspection gap, not a trust signal. The feature blocks security tools from evaluating the actual message content at delivery. The Gartner Market Guide for Email Security notes that advanced email security platforms must evaluate behavioral and relational signals when content analysis is blocked.

1. Train employees that authentication proves platform, not identity. SPF, DKIM, and DMARC verify that Google sent the email. They say nothing about who typed the display name. Security awareness training should explicitly cover the difference between authenticated infrastructure and verified sender identity.

The attacker spent nothing. Registered no domain. Deployed no malware. Built no phishing page. They typed a name into a Gmail account, toggled Confidential Mode, and let Google do the rest. The entire attack was a social engineering bet that the recipient would trust the display name over the email address.

That bet fails when detection operates on behavior instead of signatures. It succeeds everywhere else.