The problem is that attackers are smart, they are always looking for a way to make their scams look legitimate. I have seen Business Email Compromises that involved the theft of marketing materials directly from a company while also using the compromised account to send out the next wave of phishing. Here the attacker uses a spoofed domain along with a recognizable logo. The one identified by security researcher Chris Plummer was a simple use of a subdomain exploit (kelerymjrlnra[.]ups[.]com). While the SPF (Sender Protection Filter) for UPS should and does fail this subdomain (although the DMARC seems to pass it), it looks like it spilled by Google’s check which verified the root domain.
This flaw on the Google side of things allowed the fake email to get through and even show up as verified. This makes the chance of being clicked on by the unwary much higher. Phishing emails claiming to be shipping companies with a pending package are nothing new. They happen all the time and millions of people fall for them, just like the “you’ve won” style emails that flood the most common public emails services out there. While this feature is a nice one, it looks like it needs a lot more work.
Google has now listed this issue as a Severity 1 and Priority 1 issue with people acting on identifying a fix as quickly as possible. This is a change of heart after they first ignored the reported issue saying it was acting as intended. I am sure this was a simple oversight and the person receiving the initial request missed the fact that it was a random subdomain. Still, I do wonder how this got by Google’s detection system in the manner that it did. It is not a valid subdomain (does not resolve DNS), fails a real SPF check, and has all the appearance of having been created by a domain name randomization application. A quick check of a public threat intelligence feed shows that using a subdomain for UPS is a very popular way of getting malicious emails and files to targeted individuals with 101 malicious files associated with bad subdomains. I would think that FedEx, UPS, and other popular targets would have a higher burden of proof for tools like the one that Google released.
For now, remember to keep an eye out for suspicious emails and do not rely on verified sender check marks in Gmail (or any other public mail system) for the foreseeable future.