---
title: "Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now? | DMARC Report"
description: "Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now? from DMARC."
image: "https://dmarcreport.com/og/blog/hackers-exploiting-google-groups-address.png"
canonical: "https://dmarcreport.com/blog/hackers-exploiting-google-groups-address/"
---

Quick Answer

\[DMARC Report\](https://soundcloud.com/dmarcreport-1-325699943) · \[Reconsidering Google Groups: Exploiting 'From:' Address Rewrite by Hackers\](https://soundcloud.com/dmarcreport-1-325699943/reconsidering-google-groups-exploiting-from-address-rewrite-by-hackers)

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fhackers-exploiting-google-groups-address%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Hackers%20Are%20Exploiting%20the%20Google%20Groups%E2%80%99%20Practice%20of%20Rewriting%20%E2%80%9CFrom%3A%E2%80%9D%20Addresses%3B%20Should%20You%20Rethink%20Before%20Continuing%20on%20Google%20Groups%20Now%3F&url=undefined%2Fblog%2Fhackers-exploiting-google-groups-address%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fhackers-exploiting-google-groups-address%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fhackers-exploiting-google-groups-address%2F&title=Hackers%20Are%20Exploiting%20the%20Google%20Groups%E2%80%99%20Practice%20of%20Rewriting%20%E2%80%9CFrom%3A%E2%80%9D%20Addresses%3B%20Should%20You%20Rethink%20Before%20Continuing%20on%20Google%20Groups%20Now%3F "Share on Reddit") [ ](mailto:?subject=Hackers%20Are%20Exploiting%20the%20Google%20Groups%E2%80%99%20Practice%20of%20Rewriting%20%E2%80%9CFrom%3A%E2%80%9D%20Addresses%3B%20Should%20You%20Rethink%20Before%20Continuing%20on%20Google%20Groups%20Now%3F&body=Check out this article: undefined%2Fblog%2Fhackers-exploiting-google-groups-address%2F "Share via Email") 

![Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

> The email authentication landscape changed permanently in 2024, says Brad Slavin, General Manager of DuoCircle. Google, Yahoo, and now Microsoft all require DMARC. What used to be a best practice is now a hard prerequisite for reaching inboxes. Organizations that delayed are now paying the price in deliverability.

[DMARC Report](https://soundcloud.com/dmarcreport-1-325699943) · [Reconsidering Google Groups: Exploiting ‘From:’ Address Rewrite by Hackers](https://soundcloud.com/dmarcreport-1-325699943/reconsidering-google-groups-exploiting-from-address-rewrite-by-hackers)

Google is a **highly reputed IT platform**; however, despite the proactive measures and technologies it develops and adopts to keep its users safe, [threat actors often outsmart](https://www.bleepingcomputer.com/news/security/google-hackers-exploited-zimbra-zero-day-in-attacks-on-govt-orgs/) their tech ninjas.

And this has happened yet again!

Recently, a cybersecurity firm uncovered a \*\*security loophole in Google Groups that has given hackers the opportunity to plan and execute sneaky [phishing attacks](https://www.infosecurity-magazine.com/news/sorillus-rat-phishing-google/) without tipping off the members and creators.

Before knowing about the vulnerability, we are quickly taking you through the \*\*concept of creating and using [Google Groups](https://en.wikipedia.org/wiki/Google%5FGroups).

## I Don’t Know Much About Google Groups, Please Elaborate

It’s fine if you are still unfamiliar with this platform, as it was popular in its heyday, and now it’s not a buzz anymore. This is primarily due to the development and introduction of \*\*better tools like Slack, Help Scout, Mailchimp, etc., and features to create and manage [groups on social media platforms](https://turbofuture.com/internet/What-are-Social-Media-Groups) like Facebook and WhatsApp.

![Create dmarc record5894](https://media.mailhop.org/dmarcreport/images/2023/11/create-dmarc-record5894.jpg) 

_Google Groups is a service from Google that allows users to create public and private discussion groups for people sharing common interests._ Members can view a \*\*group’s conversation history and post new messages.

As much as the idea of coming together and exchanging messages pertaining to common interests seems advantageous, it also bears risks for members and enterprises. Public groups allow **anyone to join**, which hackers misuse as an opportunity to [exploit email addresses](https://www.infosecurity-magazine.com/news/criminals-gaza-crisis-fake-charity/) and other sensitive details of members. Moreover, users have shown concerns about Google Groups’ \*\*capabilities to filter spam messages.

## Google Groups’ Rewrites “From:” Addresses- But What Made it Do This?

Initially, Google Groups discovered that there was an issue with emails sent from domains having their [DMARC policy](https://dmarcreport.com/dmarc-policy/) set to **quarantine or reject**. Legitimate messages dispatched from a domain through authorized sending sources were getting flagged as spam or bouncing back . It affected communication and Google Groups’ credibility to align with SPF, DKIM, and [DMARC](https://dmarcreport.com/) protocols. It was resolved by slightly adjusting the process, according to which Google Groups would rewrite the **“From:” address**. This made the message appear like coming from the mailing list itself, which eliminated the chances of genuine conversations getting flagged or rejected.![Dmarc report9684](https://media.mailhop.org/dmarcreport/images/2023/11/dmarc-report9684.jpg)

## But What’s the Currently Discovered Vulnerability?

Lately, it has been uncovered that cyber actors are taking advantage of the \*\*practice of rewriting the “From:” address by [attacking public groups](https://thehackernews.com/2023/05/meta-uncovers-massive-social-media.html) that are configured to allow anyone on the internet to join and be a member without anyone’s approval or consent.

They manipulated Google’s “From:” address management practice, chiefly when a sender domain’s [DMARC record](https://dmarcreport.com/dmarc-record/) is set to quarantine or reject policy.

## Unrolling the Attacking Methodology

All this happens in 6 stages:

- Threat actors buy a fresh domain name, deploy DMARC for it, and set the DMARC record on [quarantine or reject policy](https://support.dmarcreport.com/support/solutions/articles/5000873942-what-should-be-the-policy-level-for-dmarc-).
- The new domain is then used for sending out spoofed emails to Google Groups addresses.
- **Google rewrites the “From:” address**.
- A deceptive Reply-To address shows the original sender’s domain, which is actually the threat actor’s domain.
- The results for [SPF](https://dmarcreport.com/what-is-spf/) and [DKIM](https://dmarcreport.com/what-is-dkim/) authentication are positive .
- Visual indicators automatically appear for targeted domains with [BIMI](https://dmarcreport.com/blog/what-is-bimi-and-how-it-is-built-upon-dmarc/) in place.

## But I Am an Active Google Groups User; How Can My Organization and I Stay Protected?

No technology or IT platform is 100% shielded from malicious actors, and Google Groups is no exception. So, just as you are suggested to follow [best practices](https://dmarcreport.com/blog/dkim-best-practices-essential-guidelines-for-email-authentication/), read red flags, and stay vigilant while doing anything on the internet, the same follows with this.

![Gmail dmarc5967](https://media.mailhop.org/dmarcreport/images/2023/11/gmail-dmarc5967.jpg) 

_Avoid maintaining public lists, especially the ones that allow anyone on the web to join._ Be selective in who gets access to discussions and email addresses of members; otherwise, you can end up [compromising the security and privacy](https://www.wired.com/story/23andme-credential-stuffing-data-stolen/) of many people.

Moreover, it’s better to switch to a \*\*more secure and reliable platform for communications involving insights and finances, including billing and payroll activities.

Also, when in doubt, **switch to in-person communication**. The idea seems a little old-school, but it’s better than getting exploited. Isn’t it?

Please feel free to [reach out to our support team](https://support.dmarcreport.com/support/home) to discuss anything related to DMARC and [email security](https://dmarcreport.com/blog/the-importance-of-email-statistics-in-email-security-and-how-dmarc-can-help/). We feel more than happy to help you stay safe on the internet .

## Topics

[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ email security ](/tags/email-security/)[ News ](/tags/news/) 

![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 11m  DMARC Forensic Report: Essential Insights for Email Security  Apr 24, 2025 ](/blog/dmarc-forensic-report-essential-insights-for-email-security/)[  Foundational 5m  DMARC in a Multi-Domain Environment: Best Practices for Complex Setups  Aug 4, 2023 ](/blog/dmarc-in-a-multi-domain-environment-best-practices-for-complex-setups/)[  Foundational 5m  10 Reasons Why Your Website Needs A Robust DMARC Report Monitoring Tool  Sep 29, 2023 ](/blog/10-reasons-why-your-website-needs-a-robust-dmarc-report-monitoring-tool/)[  Foundational 7m  4 sectors that need email authentication the most and why  Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now?","description":"Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now? from DMARC.","url":"https://dmarcreport.com/blog/hackers-exploiting-google-groups-address/","datePublished":"2023-11-20T11:29:56.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-11-20T11:29:56.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/hackers-exploiting-google-groups-address/"},"articleSection":"foundational","keywords":"DMARC, dmarc record, email security, News","wordCount":738,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now?","item":"https://dmarcreport.com/blog/hackers-exploiting-google-groups-address/"}]}
```