--- title: "Cybersecurity News, Gmail Attack Bypasses, Secure Cloud Fax: Healthcare Transition, Gmail AMP XSS: Discovered | DMARC Report" description: "In today" image: "https://dmarcreport.com/og/blog/news-gmail-attack-cloud-fax-gmail.png" canonical: "https://dmarcreport.com/blog/news-gmail-attack-cloud-fax-gmail/" --- Quick Answer According to the threat research team of cyber security firm\[ Volexity\](https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/), the North Korean ‘SharpTongue' group, which appears related to the Kimsuky APT (advanced persistent threat) group, deployed malware named SHARPEXT that doesn't require users' Gmail login credentials. Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fnews-gmail-attack-cloud-fax-gmail%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Cybersecurity%20News%2C%20Gmail%20Attack%20Bypasses%2C%20Secure%20Cloud%20Fax%3A%20Healthcare%20Transition%2C%20Gmail%20AMP%20XSS%3A%20Discovered&url=undefined%2Fblog%2Fnews-gmail-attack-cloud-fax-gmail%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fnews-gmail-attack-cloud-fax-gmail%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fnews-gmail-attack-cloud-fax-gmail%2F&title=Cybersecurity%20News%2C%20Gmail%20Attack%20Bypasses%2C%20Secure%20Cloud%20Fax%3A%20Healthcare%20Transition%2C%20Gmail%20AMP%20XSS%3A%20Discovered "Share on Reddit") [ ](mailto:?subject=Cybersecurity%20News%2C%20Gmail%20Attack%20Bypasses%2C%20Secure%20Cloud%20Fax%3A%20Healthcare%20Transition%2C%20Gmail%20AMP%20XSS%3A%20Discovered&body=Check out this article: undefined%2Fblog%2Fnews-gmail-attack-cloud-fax-gmail%2F "Share via Email") ![Cybersecurity News, Gmail Attack Bypasses, Secure Cloud Fax: Healthcare Transition, Gmail AMP XSS: Discovered](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) In today’s evolving threat landscape, email authentication is one crucial aspect that no organization can afford to ignore. With threat actors updating their techniques and methodologies to bypass authentication systems, it has become necessary to be aware of these developments. > From a product strategy perspective, DMARC reporting is evolving from a security tool to a business intelligence platform, says Brad Slavin, General Manager of DuoCircle. The data in aggregate reports tells you not just who’s spoofing you, but who’s sending legitimate email on your behalf - and whether they’re doing it correctly. ## 1\. A New Gmail Attack Variant Bypasses Passwords and 2FA According to the threat research team of cyber security firm[ Volexity](https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/), the North Korean ‘SharpTongue’ group, which appears related to the Kimsuky APT (advanced persistent threat) group, deployed malware named SHARPEXT that doesn’t require users’ Gmail login credentials. Instead, it “inspects and exfiltrates data directly ” from the victim’s Gmail account as they browse it. It is a quickly evolving threat, and experts at Volexity state it has already reached version 3.0 as per the malware’s internal versioning. The SHARPEXT malware can steal email from AOL and Gmail webmail accounts and targets Microsoft Edge, Google Chrome, and Whale, a South Korean client. ![Dmarc check](https://media.mailhop.org/dmarcreport/images/2022/08/dmarc-check-5379.jpg) ## How is the SHARPEXT threat Different? The report states that SHARPEXT differs from previous browser extensions that the hacking espionage groups have deployed. It doesn’t grab the user’s login credentials but bypasses their need and grabs email data as the victim reads it. However, the good news is that the victim’s system must be compromised earlier if the malicious extension needs to be deployed. Unfortunately, it is a well-known fact that system compromise is not a difficult task for cyber adversaries. Once a system gets compromised by unpatched vulnerabilities, phishing, malware, etc., the cybercriminals can use a malicious VBS script to replace the system preference files and install the extension. The extension runs silently in the background and is difficult to detect. This incident tells why it’s important to deploy email authentication measures such as DMARC, DKIM, and SPF. ## 2\. Healthcare Professionals Switching From Email To ‘More Secure’ Fax, A Cloud Fax Company A new study states that many healthcare professionals say that flaws in the web security landscape are prompting them to return to an “extremely” secure medium: fax. The[ eFax research](https://www.vanillaplus.com/2022/07/19/70914-healthcare-providers-turn-to-cloud-faxing-for-secure-transmission-of-confidential-and-sensitive-documents/), published earlier this month, surveyed 1,000 IT decision-makers in Europe and the UK. According to[ the report](https://www.efax.co.uk/docs/default-source/efax-corporate/secret-life-of-fax-healthcare-industry-ebookf67333ce24f56cc6acd0ff0000199d84.pdf), 62% of the healthcare sector respondents said that security was the primary reason they wanted to migrate to cloud-based fax systems. Furthermore, 21% of respondents believed digital fax systems are an “extremely” secure technology. ## What is ‘cloud fax’? Cloud faxing removes the requirement of on-premise equipment on both sides of the transmission. The users can use an online service to send fax quickly, to be viewed or printed by the recipient. 37% of respondents among fax users in healthcare said they used “cloud-based fax” systems, and 21% said they used both traditional and cloud faxing. The research was conducted by eFax, a company that displays the slogan: “The fast and easy way to receive and send faxes by email.” ## 3\. XSS Discovered in Gmail’s AMP for Email A security researcher received a $5,000 bug bounty payout when he discovered a cross-site scripting (XSS) vulnerability in Gmail’s dynamic email feature, AMP for Email. Bringing AMP functionality to interactive emails, AMP for Email leverages the open-source HTML framework suitable for optimizing websites for mobile browsing. Adi Cohen, the security researcher who unearthed the security flaw, said he had little trouble finding a vector triggering an XSS in the AMP playground. However, he noted that bypassing Gmail’s XSS filter was a much tougher assignment. ## Rendering Contexts Cohen further elaborated that tricking the XSS filter into a different rendering context than how the browser uses it to render a given piece of code is the easiest way to circumvent it. Since AMP for Email forbids templates, math, SVG, and CSS, he targeted stylesheets as the potential path for XSS payload having multiple rendering contexts. It required a discrepancy in how the stylesheet is rendered by the browser and by “tricking the filter into believing a fake style tag is real.” Cohen’s initial vector was successful in the sandbox because AMP will leave the CSS context whenever it encounters the ’) or whitespace after it. Then he tricked the filter into believing it was back in the HTML context while the browser ignored entirely and stayed within the CSS realm. ## 4\. Another Phishing Attack Targets Microsoft Email Users, Bypassing Multi-Factor Authentication Cybersecurity researchers at[ Zscaler](https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services) recently uncovered the latest large-scale phishing campaign that targets Microsoft email users. The primary targets of the malicious campaign are corporate users, especially end users in Enterprise environments using Microsoft email services. Cybercriminals use Adversary-in-The-Middle (AiTM) techniques for bypassing multi-factor authentication (MFA). Microsoft informed about a similar attack in[ early July](https://www.ghacks.net/2022/07/17/office-phishing-attack-circumvents-multi-factor-authentication/) that targeted over 10,000 organizations, using AiTM techniques to bypass MFA protections. Zscaler described the latest attack as highly sophisticated, which uses multiple evasion techniques in various stages of the attack. These techniques are designed to bypass conventional network and email security solutions. Most enterprises targeted by the malicious campaign are in the United Kingdom, United States, Australia, and New Zealand. FinTech, Lending, Accounting, Energy, Finance, Insurance, and Federal Credit Union are the main sectors targeted. ![Dmarc record](https://media.mailhop.org/dmarcreport/images/2022/08/dmarc-record-3967.jpg) ## How does The Attack Take Place? The attack starts when phishing emails are sent out to Microsoft email addresses. The progression of the attack depends on phishing emails and the users interacting with them. The malicious emails can contain a link to a phishing domain or HTML attachments containing the link. In any case, the user must click on the link to start the infection chain. Strikingly similar to the phishing campaign described by Microsoft earlier, phishing emails in this campaign use a variety of topics to gain the user’s attention. One email lured the user by suggesting it contained an invoice for review, and another said a new document needed to be viewed online. ## Final Words The legitimacy of an email’s true ownership is critical for communication. In a Business Email Compromise (BEC) cyberattack, the victimized organization can face brand erosion, financial loss, and lost consumer trust. It is clear from the discussion that security standards like MFA and 2FA are not enough to stop attackers. Individuals and organizations need email authentication standards, using SPF, DKIM, and DMARC protocols for protecting the email and domain from unwanted threats. ## Topics [ DMARC ](/tags/dmarc/) ![Vasile Diaconu](https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg) [ Vasile Diaconu ](/authors/vasile-diaconu/) Operations Lead Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report. [LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cybersecurity News, Gmail Attack Bypasses, Secure Cloud Fax: Healthcare Transition, Gmail AMP XSS: Discovered","description":"In today's evolving threat landscape, email authentication is one crucial aspect that no organization can afford to ignore.","url":"https://dmarcreport.com/blog/news-gmail-attack-cloud-fax-gmail/","datePublished":"2022-08-30T09:24:24.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2022-08-30T09:24:24.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/news-gmail-attack-cloud-fax-gmail/"},"articleSection":"foundational","keywords":"DMARC","wordCount":1136,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"Cybersecurity News, Gmail Attack Bypasses, Secure Cloud Fax: Healthcare Transition, Gmail AMP XSS: Discovered","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Cybersecurity News, Gmail Attack Bypasses, Secure Cloud Fax: Healthcare Transition, Gmail AMP XSS: Discovered","item":"https://dmarcreport.com/blog/news-gmail-attack-cloud-fax-gmail/"}]} ```