A new Gmail feature called "Confidential Email" requires users to click a link to access confidential emails - a feature described as a "potential emerging threat ... for nefarious activity," in a May 24 US Department of Homeland Security intelligence note obtained by ABC News.
It warns that with this key new feature Google has created an opportunity in which "malicious cyber-actors could exploit the recent Gmail redesign," and thereby make its 1.4 billion users more susceptible to phishing attacks. The message has been distributed to law enforcement personnel and others handling cyber-security for private computer networks.
Users of "Confidential Email" access their content via a link intended to let them prevent forwarding, copying, downloading or printing of emails, set an expiration date for confidential emails, require recipients to go through a two-step security protocol; and revoke access to confidential emails including after they have been sent.The new Google logo is displayed at the Google
The concern of the DHS is that the new feature "presents an opportunity for malicious cyber-actors to mimic the e-mail message and phish unwary users.
Lesley Fulop, a Department of Homeland Security spokeswoman, is reported to have told ABC News: "We have reached out to Google to inform them of intelligence relevant to their services and to partner to improve our mutual interests in cyber-security."
Brooks Hocog, a Google spokesman says the use of filtering tools catches more than 99.9 percent of phishing attempts in Gmail, adding that the new redesign has additional measures to try to protect users from email attacks, such as emphasising security warnings in suspicious emails.
In an email to SC Media UK Eyal Benishti, CEO and founder of Ironscales commented: "Phishing is already a prevalent threat individuals and organisations face, and features like the one introduced by Google in this case is just making it even easier for nefarious actors to exploit victims. It is so difficult for even trained eyes to spot a sophisticated phishing attempt- how are users meant to differentiate between a real ‘confidential link’ and a fake? Of course, it will be near impossible- exactly what the criminals want.
"Until this feature is revoked by Gmail, it is imperative to help users identify well-crafted impersonation techniques, in order to avoid a potential cyber-security incident. By employing mailbox level detection that tracks user behaviour analysis and sender reputation scoring to build a picture of what is deemed normal behaviour, anomalies in communications and meta data are easily spotted and automatically flagged as suspicious, in tandem providing a mechanism for employees that do spot something amiss in a message to report their findings via inmail alerts, which together allows quick reporting via an augmented email experience, helping the user make better decisions that ultimately helps protect the enterprise.
"It is also key to remain vigilant- we all play a part in cybersecurity after all. If you’re ever unsure, contact your IT department, and never interact with the email."