New research has revealed that “Scanned by Gmail” is no longer a guarantee. Researchers discovered a structural flaw that allows malicious files to bypass Google’s native security controls.

The flaw – which poses a risk to billions of Gmail users – allows attackers to upload files that Gmail has already identified as malicious to Google Drive, then distribute them through Gmail’s native Drive-sharing feature, complete with the reassuring “Scanned by Gmail” label.

“The exact same file Gmail flags as malicious and refuses to send, can still reach the inbox through Google Drive, presented as if it’s been verified,” said Pentera security researcher Ben Illkashi.

“From a user perspective, there is no visible difference. It looks like a normal, trusted attachment.”

Google has confirmed the issue, but no fix or timeline for remediation has been released.

Users are advised to treat emails containing Google Drive links with the same scrutiny as direct file attachments, regardless of safety labels.

How researchers discovered the flaw

As Illkashi points out, people won’t give a “prince from a distant kingdom” their credit card numbers anymore. So attackers are coming up with new ways to make emails appear innocent, safe, and secure, “to convince every user to click on them and fall into the lure.”

The researcher set out to prove this in a proof-of-concept exercise: to try to trick Google into “signing off on a phishing payload and effectively achieving the holy grail of phishing attacks.”

In a blog post, Illkashi explains how he achieved this while investigating the use of Scalable Vector Graphics (SVG) as payloads for phishing campaigns.

SVG files are a graphics format that can contain embedded scripts and malicious code. Illkashi reports that Gmail initially blocked the file outright and marked it as “virus detected.”

However, after uploading the same file to Google Drive and sharing it through Gmail’s integrated Drive attachment system, the email was successfully delivered.

Email recipients saw the file displayed as a standard Gmail attachment accompanied by the platform’s trusted safety label, despite Gmail previously identifying it as malicious.

Pentera said the issue could be exploited in real-world phishing campaigns because attackers can leverage Google’s own infrastructure to make malicious emails appear legitimate.

“That dynamic creates a gap attackers can deliberately exploit, turning Google’s own infrastructure into a high-trust malware delivery mechanism for phishing campaigns,” the firm warned.

A second flaw in Drive is uncovered

Illkashi uncovered a second issue involving Google Drive’s warning system. Normally, Drive displays a dedicated window/pop-up before users download suspicious files. But the researcher found that when certain files were shared through Gmail’s Drive integration, that warning disappeared entirely.

“This indicates a flaw in the implementation of the Google Drive file download mechanism within Gmail’s endpoint,” he said, adding that users could download potentially dangerous files “without triggering Google's standard safety warnings.”

Advice for Gmail users

The researcher hypothesizes that these issues may stem from Gmail extending implicit trust to files originating from Drive, under the assumption that content within Google’s ecosystem is pre-vetted.

Until a patch is released, researchers warn users not to blindly trust Gmail safety labels or Google Drive attachments, particularly from unknown or unexpected users.

---

Unlock more exclusive Cybernews content on YouTube.