> > > > What do you know about "Gmail confidential mode" emails? I'm starting to > > see a few of these come in to users now, and not sure how to treat them. > > They are sent through gmail, but require a one-time passcode sent to the > > recipient, > > Did you actually look at them? What do they look like? What does the > recipient have to do to actually get the mail? Does this only work > gmail to gmail? >
Some of those questions I was hoping others could help me to answer. This is a legitimate email service provided by gmail. It was routed through google's servers only. It passed DKIM and SPF, but not DMARC. I don't think it's only gmail-to-gmail, as the recipient is not a gmail account. You can experiment with this by composing a new message in Gmail, then clicking the "toggle confidential mode" lock/timer icon in the same tray as where fonts and attachments are controlled. The email includes a link to "view the email" where the user is then directed to https://confidential-mail.google.com/ with a prompt to get a one-time passcode to the same email address that apparently authorizes the recipient to reveal the contents of the "secure" email. I didn't "send passcode" on that URL because it would then send it to the real recipient as well. It requires the passcode only if it's necessary to authenticate as the recipient - if you're not already logged in as that recipient, for example. It's definitely suspect, as the subject is just "Fwd: Information" and there are no details in the body as to its contents. The email is base64 encoded. > so any potential threat is not transferred through the same > > email (or any email at all). > > huh? I don't follow this at all. > Once you've authenticated yourself, the email is displayed there, at the confidential-mail.google.com URL directly, not through some follow-up email. > otherwise have no other spam indicators. > > When you looked at the raw bytes in the mailspool, what was in it? What > does the SA debug output look like? It doesn't make sense that wouldn't > have done these things before posting, but you didn't explain. > Yes, the initial email is relatively benign - it is a legitimate gmail email sent through their servers and signed by them. The spample I'm looking at now was quarantined only because their domain ( pcfixpos.com) is apparently blocklisted. It also hit BAYES_99. * 1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring bulkmailer * [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1] * 1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender * [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1] Given that, I suspect this one is spam, but this is an interesting way to distribute malicious links.