>
>
> > What do you know about "Gmail confidential mode" emails? I'm starting to
> > see a few of these come in to users now, and not sure how to treat them.
> > They are sent through gmail, but require a one-time passcode sent to the
> > recipient,
>
> Did you actually look at them? What do they look like? What does the
> recipient have to do to actually get the mail? Does this only work
> gmail to gmail?
>
Some of those questions I was hoping others could help me to answer. This
is a legitimate email service provided by gmail. It was routed through
google's servers only. It passed DKIM and SPF, but not DMARC. I don't think
it's only gmail-to-gmail, as the recipient is not a gmail account.
You can experiment with this by composing a new message in Gmail, then
clicking the "toggle confidential mode" lock/timer icon in the same tray as
where fonts and attachments are controlled.
The email includes a link to "view the email" where the user is then
directed to
https://confidential-mail.google.com/ with a prompt to get a
one-time passcode to the same email address that apparently authorizes the
recipient to reveal the contents of the "secure" email. I didn't "send
passcode" on that URL because it would then send it to the real recipient
as well. It requires the passcode only if it's necessary to authenticate as
the recipient - if you're not already logged in as that recipient, for
example.
It's definitely suspect, as the subject is just "Fwd: Information" and
there are no details in the body as to its contents. The email is base64
encoded.
> so any potential threat is not transferred through the same
> > email (or any email at all).
>
> huh? I don't follow this at all.
>
Once you've authenticated yourself, the email is displayed there, at the
confidential-mail.google.com URL directly, not through some follow-up email.
> otherwise have no other spam indicators.
>
> When you looked at the raw bytes in the mailspool, what was in it? What
> does the SA debug output look like? It doesn't make sense that wouldn't
> have done these things before posting, but you didn't explain.
>
Yes, the initial email is relatively benign - it is a legitimate gmail
email sent through their servers and signed by them.
The spample I'm looking at now was quarantined only because their domain (
pcfixpos.com) is apparently blocklisted. It also hit BAYES_99.
* 1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring bulkmailer
* [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1]
* 1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
* [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1]
Given that, I suspect this one is spam, but this is an interesting way to
distribute malicious links.