The Law Firm Email That Passed Every Authentication Check (Because Google Sent It)

SPF Pass. DKIM Pass. DMARC Pass. The Reply-To Was One Day Old.

A mid-size organization received what looked like a routine Google Drive sharing notification from Alston & Bird LLP, one of the largest law firms in the United States. The subject line read: "Our Counsel Notifies -> Arrears Identified." The email carried a PDF icon, a blue "Open" button, and the standard Google Workspace footer.

Every authentication check passed. SPF confirmed the sender IP belonged to Google. DKIM verified the signature against google.com. DMARC returned a clean pass with compauth=pass reason=100. By every technical trust signal that email gateways evaluate, this message was legitimate.

It was not.

The Reply-To header pointed to nannestplicag2001@login.cloudsecurityaccess[.]com, a domain registered on March 26, 2026. The email arrived March 27. That is a one-day-old domain sitting behind the response path of a message that passed the entire Google authentication stack.

How Google Became the Attacker's Mail Server

The attacker created a Google account, uploaded a file to Google Drive, and shared it with 24 recipients across unrelated organizations. Google's own notification system did the rest.

When Google Drive generates a sharing notification, the email originates from drive-shares-noreply@google.com and routes through Google's mail infrastructure (mail-qt1-x850.google.com). The envelope sender is doclist.bounces.google.com. All of this is real Google infrastructure, authenticated and signed.

This is T1566.002 (Phishing: Spearphishing Link) executed through a trusted intermediary. The attacker never needed to configure a mail server, purchase a sending domain, or set up authentication records. Google handled delivery, signing, and authentication on their behalf.

The attack also maps to T1036.005 (Masquerading: Match Legitimate Name or Location). The display name used homoglyph substitution to impersonate Alston & Bird LLP, a real Am Law 100 firm with over 800 attorneys. Standard Latin characters were swapped with Cyrillic and Unicode small-caps equivalents that render identically in most email clients. The "о" in "Alstоn" is Cyrillic. The "ʟʟᴘ" uses Unicode small capital letters. To any human reading the display name, it looks correct. To exact-match filters, it is a completely different string.

The Infrastructure Behind the Reply-To

The Reply-To domain, cloudsecurityaccess[.]com, tells the real story.

WHOIS records show registration through Hosting Concepts B.V. (via Dynadot LLC) on March 26, 2026, at 20:42:27 UTC. The email arrived the next day at 18:36:49 UTC. That is less than 22 hours between domain creation and phishing delivery.

The domain sits behind Cloudflare nameservers (clyde.ns.cloudflare.com, lina.ns.cloudflare.com) with DNSSEC unsigned. The subdomain login.cloudsecurityaccess[.]com had no A record, no published DMARC policy, and no DKIM selectors at the time of analysis. The only DNS record present was a site-verification TXT entry.

This is infrastructure built for a single purpose: catching replies. The Verizon 2024 DBIR found that 68% of breaches involved a human element. This attack counts on exactly that. A recipient sees a legal notice from what appears to be a major law firm, panics about "arrears identified," and replies directly, initiating a conversation with the attacker on a domain that has zero legitimate email history.

The domain name itself is a social engineering play. "Cloud Security Access" sounds like a legitimate security vendor, which provides cover if anyone bothers to inspect the Reply-To address manually.

The Spray Pattern

This was not a targeted spear-phish. The email was CC'd to 23 additional recipients across personal Gmail accounts, a university (.edu), small businesses, and unrelated corporate domains. The CC list included addresses at gmail.com, hotmail.com, smu.edu, and several small business domains.

CC-based distribution (rather than BCC) is itself a social engineering tactic mapped to T1534 (Internal Spearphishing). Seeing other recipients on the thread creates perceived legitimacy. If a law firm is notifying multiple parties about arrears, it looks like a real multi-party legal matter.

According to the FBI IC3 2024 Annual Report, business email compromise accounted for $2.77 billion in reported losses. Law firm impersonation is a well-documented BEC vector because legal communications carry inherent urgency and authority.

What the Scanners Missed (and What Caught It)

Every automated link scanner returned a "Clean" verdict on the Google Drive URLs. That is technically correct. The links point to drive.google.com, which is a legitimate Google domain hosting legitimate infrastructure. Link scanners that evaluate URL reputation, SSL certificates, and domain age will see nothing wrong.

The Microsoft Digital Defense Report 2024 documented that attackers increasingly abuse trusted cloud services specifically to bypass URL reputation checks. When the hosting platform is Google, Microsoft, or Amazon, reputation-based detection is blind by design.

See Your Risk: Calculate how many threats your SEG is missing

IRONSCALES adaptive AI flagged this email based on multiple behavioral signals that authentication and link scanning cannot evaluate: the Reply-To header mismatch between google.com and a newly registered domain, the homoglyph characters in the display name, and the spray-pattern CC distribution to unrelated recipients. Three affected mailboxes were quarantined within seconds of delivery, before any recipient could respond to the attacker's reply-to address.

The gap between what authentication proves and what it does not is where this entire attack lives. SPF, DKIM, and DMARC confirm that Google sent the email. They say nothing about who triggered the notification, why they triggered it, or where a reply will actually land.

Checking Reply-To Before Checking Authentication

Security teams reviewing Google Drive notifications should treat the Reply-To header as the primary indicator, not From or authentication results. Specifically:

1. Query domain age on every Reply-To address that does not match the From domain. Any domain registered within 30 days of delivery is a red flag that warrants immediate quarantine.
2. Flag homoglyph display names. Unicode normalization checks can catch Cyrillic and small-caps substitutions that bypass exact-match rules. CISA's phishing guidance recommends scrutinizing sender display names as a first-line defense.
3. Treat CC-heavy legal or financial notifications as suspicious. Legitimate law firms use BCC or individual notifications for client communications. A CC list spanning personal and corporate addresses is not how real legal notices are distributed.
4. Do not rely on link scanner verdicts for cloud-hosted content. Google Drive, OneDrive, and Dropbox links will return clean verdicts because the hosting platforms are legitimate. The threat lives in the file content and the reply path, not the URL.

Indicators of Compromise