Cybercriminals are deploying sophisticated new attacks against Gmail users. Learn about the latest threats for 2025 and the steps you must take to secure your inbox.
Gmail is the most widely used email platform in the world, which makes it the most targeted by attackers. While Google’s threat detection is sophisticated and catches the vast majority of malicious emails, the attacks that get through are increasingly targeted and convincing.
Here is the current Gmail threat landscape and the practical steps to protect your account.
Threat 1: Account Takeover via OAuth App Abuse
OAuth (Open Authentication) allows third-party applications to access your Google account without knowing your password. When you grant a “Sign in with Google” request or install a Google Workspace add-on, you are granting an OAuth token.
Attackers exploit this by creating legitimate-looking applications and convincing users to grant them access:
- A “Google Document” shared with you that requires you to grant an app permission to “Read and manage your email”
- A fake productivity add-on in the Google Workspace Marketplace with misleading permissions
- A phishing email with a Google consent screen requesting broad account permissions
Once OAuth access is granted, the attacker has persistent access to your account — even if you change your password — until you explicitly revoke the app’s access.
Protection:
- Review granted OAuth applications: Google Account → Security → Third-party apps with account access → Remove apps you do not recognise or no longer use
- Be extremely cautious of any application requesting “Read, compose, send and permanently delete all your email from Gmail” permissions
- For Google Workspace business accounts, administrators can restrict which third-party apps can request Google account access
Threat 2: AI-Generated Spear Phishing
Targeted phishing emails (spear phishing) have traditionally been limited in volume because they require human research and crafting. AI tools have removed this constraint — attackers can now generate highly personalised phishing emails at scale using LinkedIn profiles, company websites, and leaked data to personalise content.
Signs that distinguish AI-generated spear phishing from generic phishing:
- Correct name, role, and company context
- Reference to real projects, events, or colleagues (harvested from LinkedIn or company website)
- Grammatically perfect prose (the “bad English” indicator is no longer reliable)
- Plausible sender identity (not “noreply@sketchy-domain.com” but a spoofed or look-alike domain)
Protection:
- Enable Google’s Enhanced Safe Browsing: Settings & Privacy → Security → Enhanced protection
- Verify unexpected requests (payment changes, credential requests, urgent actions) through a separate communication channel before acting
- Check sender email addresses carefully — not just the display name, but the actual email address
Threat 3: AiTM (Adversary-in-the-Middle) Phishing for Session Tokens
Traditional phishing steals passwords. AiTM phishing steals authenticated session tokens — bypassing MFA entirely.
The attack works by placing a proxy between the user and the legitimate login page:
- User receives a phishing link that loads a convincing fake Google login page
- User enters credentials — the proxy forwards them to the real Google server
- User is prompted for MFA — the proxy forwards the MFA code to the real server
- Google issues an authenticated session token — the proxy captures it
- The user lands on a (now real) Google page and notices nothing wrong
- The attacker uses the captured session token to access the account
Protection:
- Use FIDO2 hardware keys or passkeys for Google account authentication — these are phishing-resistant because the cryptographic challenge is origin-bound (it only works on the real Google login page)
- Check active sessions: Google Account → Security → Your devices — review and revoke unexpected sessions
- Enable Google’s Advanced Protection Programme for high-risk accounts (executives, finance, IT)
Threat 4: Google Calendar and Drive Spam
Attackers send spam invitations through Google Calendar and Google Drive:
- Calendar invites: An event invitation appears directly in your Google Calendar with a link to a phishing site or malware download. Because it comes through the Calendar system rather than email, it may bypass email filtering.
- Drive shares: A Google Drive document is shared with you. When opened, it contains a link to a malicious site or a convincing request for credentials.
Protection:
- Google Calendar → Settings → Event settings → “Only show invitations from known contacts” (reduces auto-acceptance of calendar spam)
- Be as suspicious of links in Google Calendar invites and Drive documents as in email — the delivery channel is different, the risk is the same
Practical Security Steps for Gmail Business Users
Enable 2-Step Verification with a Strong Method
Google Account → Security → 2-Step Verification. Use Google Authenticator or a hardware key — not SMS verification.
For business Google Workspace accounts, administrators should enforce 2-Step Verification for all users and restrict to strong methods (authenticator or hardware key only, not SMS).
Enable Advanced Protection Programme for High-Risk Accounts
Google’s Advanced Protection Programme requires hardware keys, restricts third-party app access, and provides enhanced scanning. Appropriate for executives, IT administrators, and finance staff. myaccount.google.com/advanced-protection.
Review Account Activity Regularly
Google Account → Security → Recent security activity. Review for any sign-in events from unexpected locations or devices.
Use Passkeys Where Available
Google has rolled out passkey support — a phishing-resistant credential tied to your device’s biometric authentication. Enabling a passkey for your Google account provides stronger protection than a password + MFA combination for most threat scenarios.
Google Account → Security → Passkeys → Create a passkey.
Note: While this article focuses on Gmail specifically, most of these threats — OAuth abuse, AiTM phishing, session token theft — affect Microsoft 365 accounts equally. The defensive measures for Microsoft accounts are equivalent but configured in the Microsoft account security settings rather than Google.
CX IT Services helps Melbourne businesses secure both Google Workspace and Microsoft 365 accounts. Book a Right Fit Call to discuss your email security posture.
