This blog was supposed to be yet another thought about a cyber security threat from AI.  That will wait, because of an email I received last week.  Again.  Another phishing email disguised as an invitation.

This said “You received an ecard!” with a “special party invitation” that claimed to be from a friend via Blue Mountain, but all links point to the domain dbbox.vu.  The invite referenced my friend’s name and private Gmail address.  Another friend recently “sent” an invite claiming to be from a different service, which had more aggressive calls to action (“view & RSVP”, click to “see who’s coming”). That invite also listed a known friend as the sender and his Gmail.

What was interesting in both cases was that the emails actually originated from my friend’s Gmail accounts.  The sender got past filters designed to stop email impersonation by taking over their legitimate accounts and sending the emails from Google.  Here’s an example of the ARC header from one:

i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=ciwt4ctf; arc=pass (i=1); spf=pass (google.com: domain of [REDACTED]@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=[REDACTED]@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@gmail.com

Not only does this make the email seem legitimate to the recipient’s email server, it means my friends have a different problem.  They weren’t the victims of impersonation. They lost control of their email accounts; likely either because they had easy to guess passwords or they reused their passwords somewhere else and that somewhere else was compromised.

This was an annoyance for me, but easily detected.  I always check links before clicking, and it was obvious these went to domains different from the eCard domains.  Additionally, an eCard should have come from the eCard company, not Gmail. Looking at who the actual sender was confirmed what I already knew from the links .

The problem for my friends wasn’t just a loss of their inboxes (and outboxes).  It’s that their email is quite literally the keys to access their online lives.  Why?  Because their personal email accounts contain both a list of all of their other accounts and a way to compromise those.

Buried within their Gmail folders are various emails from their banks, credit card companies, mobile phone providers, Amazon, etc.  Some of those emails have account IDs, others might not.  It doesn’t matter.  It’s the list that matters.  Once someone knows where your accounts are, they can go to the login page and click “forgot account ID”.  The account ID then gets sent to their email on file…yep, the Gmail account that the hackers already had access to.  Of course, if my friends reused their password between Gmail and the other accounts, the hackers could simply log in (though they might start with a “sim swap” attack to prevent text messages from being received).  They could control bank accounts, amazon, everything.

But let’s assume that my friends used best practices and had a different password for each account (I like to think they might use a password manager).  No problem for the attacker, they know the institution and now know the login ID.  The next link they click is called “forgot password”.  You guessed it…a password reset link is emailed to the Gmail on file.  Job done, they simply change the password to something only the hackers know.  Then they might enable 2 factor authentication to lock my friends out of their own accounts.  My friends now need to:

1.     Turn on multifactor authentication (MFA) at Google and reset their password.  This is infinitely harder if the attackers have already taken this very step to lock out the legitimate owner.

2.     Find every external account that uses their Gmail address as the email on file for things like forgotten passwords.  Change the passwords there and add MFA

That brings me to the point of this note.  Your personal email account is a “high value target” for attackers.  Not only is your contact list a source of potential scams and phishing, but your emails provide attackers with a roadmap of where to go next, and a mechanism to compromise those destinations. 

For goodness sake, treat access to your personal email as a high value target.  That means complex passwords that aren’t used elsewhere, and ideally use MFA/2FA or passkeys. It can literally be the keys to your kingdom.