The Law Firm Name Looked Right Until You Checked the Unicode: Google Drive Debt Collection Phishing

The email came from drive-shares-noreply@google[.]com. SPF passed for google.com. DKIM passed for google.com. DMARC passed for google.com. Every authentication check confirmed what was technically true: Google sent this email.

The display name read "Kirklаnd & Еllis Dеbt." At a glance, it looked like a notification from one of the world's largest law firms regarding a debt collection matter. The subject line reinforced the urgency: "Collection Correspondence Arrived. Pay Today!"

Four characters in that display name were not what they appeared to be.

The Homoglyphs Hiding in Plain Sight

The display name substituted Cyrillic characters for Latin ones. The "а" in "Kirklаnd" was Cyrillic (U+0430), not Latin (U+0061). The "Е" and "е" in "Еllis" and "Dеbt" were Cyrillic (U+0415 and U+0435). The "о" characters in the subject line were Cyrillic (U+043E). Every substitution was visually identical in Outlook, Gmail, Apple Mail, and mobile clients.

This is not a cosmetic trick. It is a functional evasion technique. Blocklists, display name spoofing detection rules, and string-matching filters all operate on code points, not visual appearance. A rule blocking "Kirkland" will never match "Kirklаnd" because the fourth character is a different Unicode code point. The name passes every text-based check while looking exactly right to every human reader.

Google Infrastructure as the Delivery Vehicle

The attacker created a Google account, set the display name to the homoglyph-laden law firm name, and shared a Google Drive file with the target. Google generated the sharing notification automatically. The email was composed, signed, and delivered by Google infrastructure. The attacker never touched a mail server.

The shared file linked to Google Drive file ID 1Pivb7Vi7SovDqOfj9DMk7Ft3ciGvK5NX. The reply-to address pointed to testsecafti1997@allclear[.]safeportalcheck[.]com, a domain registered on December 1, 2025, the same day as the attack. Same-day domain registration with privacy-protected WHOIS is a strong indicator of throwaway infrastructure. The reply-to was the only element in the entire email that the attacker controlled directly. Everything else was Google.

Debt Collection as the Social Engineering Lever

The pretext was impersonation of a well-known law firm threatening debt collection action. This pretext is deliberately chosen for its psychological impact. Recipients who believe a major law firm is contacting them about an outstanding debt are likely to act quickly and without verification. The urgency language ("Pay Today!") compressed the decision window further.

The attack required no phishing page, no malicious attachment, and no compromised infrastructure beyond a free Google account. The file shared through Google Drive could contain anything: a credential harvesting form, a redirect link, or further social engineering instructions. The delivery mechanism made it indistinguishable from a legitimate Google Drive share at every technical layer.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping