>
>
> > What do you know about "Gmail confidential mode" emails? I'm starting to
> > see a few of these come in to users now, and not sure how to treat them.
> > They are sent through gmail, but require a one-time passcode sent to the
> > recipient,
>
> Did you actually look at them?  What do they look like?  What does the
> recipient have to do to actually get the mail?  Does this only work
> gmail to gmail?
>

Some of those questions I was hoping others could help me to answer. This
is a legitimate email service provided by gmail. It was routed through
google's servers only. It passed DKIM and SPF, but not DMARC. I don't think
it's only gmail-to-gmail, as the recipient is not a gmail account.

You can experiment with this by composing a new message in Gmail, then
clicking the "toggle confidential mode" lock/timer icon in the same tray as
where fonts and attachments are controlled.

The email includes a link to "view the email" where the user is then
directed to https://confidential-mail.google.com/ with a prompt to get a
one-time passcode to the same email address that apparently authorizes the
recipient to reveal the contents of the "secure" email. I didn't "send
passcode" on that URL because it would then send it to the real recipient
as well. It requires the passcode only if it's necessary to authenticate as
the recipient - if you're not already logged in as that recipient, for
example.

It's definitely suspect, as the subject is just "Fwd: Information" and
there are no details in the body as to its contents. The email is base64
encoded.

> so any potential threat is not transferred through the same
> > email (or any email at all).
>
> huh?  I don't follow this at all.
>

Once you've authenticated yourself, the email is displayed there, at the
confidential-mail.google.com URL directly, not through some follow-up email.

> otherwise have no other spam indicators.
>
> When you looked at the raw bytes in the mailspool, what was in it?  What
> does the SA debug output look like?  It doesn't make sense that wouldn't
> have done these things before posting, but you didn't explain.
>

Yes, the initial email is relatively benign - it is a legitimate gmail
email sent through their servers and signed by them.

The spample I'm looking at now was quarantined only because their domain (
pcfixpos.com) is apparently blocklisted.  It also hit BAYES_99.

 *  1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring bulkmailer
 *      [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1]
 *  1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
 *      [pcfixpos-com.20210112.gappssmtp.com.lookup.dkimwl.org A:127.0.2.1]

Given that, I suspect this one is spam, but this is an interesting way to
distribute malicious links.

Reply via email to