What is going on in what looks like an attack that checks out?

Question

I received an email (text and source below), that looks socially like phishing but looks technically like it will check out. My best guess is that Unicode has been used to copy domain names.

The text of the webpage is:

Action required: Your Google Account is temporarily disabled
Hi, We’ve detected unusual activity in your Google Account jonathan.hayward@pobox.com and locked it to protect your information.

1. Sign in to your account or to any Google service as soon as possible, to reactivate your account.
2. Use the Security Checkup to verify and improve your account’s security.

The Google Accounts team

This email can't receive replies. For more information, visit the Google Accounts Help Center.

You received this mandatory email service announcement to update you about important changes to your Google product or account.

© 2017 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

The source is:

Delivered-To: christos.jonathan.hayward@gmail.com
Received: by 10.80.213.202 with SMTP id g10csp342702edj;
        Thu, 7 Sep 2017 09:56:54 -0700 (PDT)
X-Received: by 10.55.98.18 with SMTP id w18mr4723276qkb.163.1504803414371;
        Thu, 07 Sep 2017 09:56:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504803414; cv=none;
        d=google.com; s=arc-20160816;
        b=XSHE33mgAcZ4yoC2LYtMjwi15HSRD3yFoK8PfZqbikT2HsD7kna1ZbQoqfsU+SkbrX
         FQOIrjhEzlqeJo2rSktzXjlqoANFlgDC3Ng75scS50pD9hKPPdcL9q+kMzdZWgY2z9f8
         JG4EqfmEuVZyzeTSbFLOw7xRKOZMzC2PTtXldp70+Vn47eHgHXq0TrbwrlF9v6wDbWcZ
         4FvVV10pt/mjTxY0xd2xhcFOL9slZ55sEoGBJjxWGta29A/8ixb88XFXwWyfMAz5aQ9g
         7XklLamjcWELUwdar0YJ/12XxCTz8JOoYOUcqLYM1KqgR9Fe7ZQ1u/QATAnObodT8Q+I
         mdRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:from:subject:message-id:feedback-id:date:mime-version
         :dkim-signature:delivered-to:arc-authentication-results;
        bh=UolmLh0qPQQ90zBwrHeckq1lbjvl7J88mUQGg78J32o=;
        b=zJhCpHDJjE2eWTbs4gg3uB7A1HYY6U1ilAByF3b28IRJYYz0s2zF5Zs9m3zHFCR/nK
         QIqffIjcWkxVJK8aqgYCN9OIuc/7TWNvcs5di1pAOwi+n9+TGarcyOwEusunDtpPcoGL
         iw/ysZrXh6bKcBO7eYT8YsfKVJrNr6hEUWCkKsUHEqZq2ya2CrJvK9kO/6Md/6jvsgbU
         H63R4uuolFr5jT/EEZSfdbb/F3vgAU7sBfH0U777sx0SGxW7p8yU1ISAbQ9LWqC9fWQ6
         PO8oygngzAKvXHxSP+yP13Vzwd1WrCZgrYiCMbh1UqbfUZqUZOtDc+6cNFiG+bA09LIK
         ajig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo;
       spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates 64.147.108.55 as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com
Return-Path: 
Received: from pb-mx14.pobox.com (pb-mx14.pobox.com. [64.147.108.55])
        by mx.google.com with ESMTPS id k65si103352qkf.467.2017.09.07.09.56.54
        for 
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Sep 2017 09:56:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates 64.147.108.55 as permitted sender) client-ip=64.147.108.55;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo;
       spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates 64.147.108.55 as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com
Received: from pb-mx14.nyi.icgroup.com (localhost [127.0.0.1]) by pb-mx14.pobox.com (Postfix) with ESMTP id 0BF4F20189 for ; Thu,
  7 Sep 2017 12:56:54 -0400 (EDT)
X-Pobox-Loop-ID: 5f0919ca6722ee2ad126d239e3273c1129427ad0
Delivered-To: jonathan.hayward@pobox.com
X-Pobox-Delivery-ID: E285A2-D270B20187-1504803414-07697135!pb-mx14.pobox.com
Received: from mail-yw0-f199.google.com (mail-yw0-f199.google.com [209.85.161.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-mx14.pobox.com (Postfix) with ESMTPS id D270B20187 for ; Thu,
  7 Sep 2017 12:56:53 -0400 (EDT)
Received: by mail-yw0-f199.google.com with SMTP id x144so231194ywd.15
        for ; Thu, 07 Sep 2017 09:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=accounts.google.com; s=20161025;
        h=mime-version:date:feedback-id:message-id:subject:from:to;
        bh=UolmLh0qPQQ90zBwrHeckq1lbjvl7J88mUQGg78J32o=;
        b=f6IaG5YoON7KwOWfbnsZSjxoe2hN1HFuMygE5IObxV0T1uDGSGCk0O8s6at2iDabV3
         4bVGZhnz404/QdnOsWtXq1jLjBuZY0CfnCzchTTpFFS7O30kjHPGaTgwKJueW3/rUuUY
         v5M5aTgv/Z5G92XIEMDR0ArtKtyt0Yb4H00dgj3XcWQGYytjueeNrbzIYT7/bolTI8py
         3arHkjMjPu144HV22VlCzHJsscX0kgNjxDzIkTUPAiH87J8DJKQpeAW3QqMcl9NOJwZ2
         yY62lXywy0VjTJluIE2Mp2rIzypT9xpy6DR2u0X2+puY2CkSAABK5LiqAMAu1TOs7ahY
         78BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:feedback-id:message-id:subject
         :from:to;
        bh=UolmLh0qPQQ90zBwrHeckq1lbjvl7J88mUQGg78J32o=;
        b=nbjdinMFQvgeKuClIZZteD6R9yuaPJVPTNyw+AXejnR4IFU0iglDTb+WN35rhir9Ky
         w8oI+R73AjzEmhrHHnLzuYKJCh5iSS+miWtM6IMccTVEom/IRb4HIPytICgchy7lA8aZ
         imVmrxPna2E0kkkHVzCqpDBzkQXST9m4p4m3mESvq6uZYt+r/VtXjZjbMlVS10AqXkUB
         Y7hJ9DlSIB6dNEUkTh1g0bpwa/E/A2TyhcorFGfwp72HiX20q3W/Dgys1oo6zuAYJgQI
         vJJqgdwMuVRfrrGhRiRe8e3BwLTT32O9t5GbjXJ0rMD/60XCXfz22R0Y+LztYHxDOGyO
         +4UA==
X-Gm-Message-State: AHPjjUgzmSZPgCWmHX9MPzCSGSmIw4njupwzCIc0Utr0EXvA0HAYfDgd v46KxhtuxEOCF8zAr4DDITXl097WRldz
X-Google-Smtp-Source: ADKCNb4JVdIC05q1wFsStNjSNVjkYZ1onuhcEX2PMg9EGRKbX5+p6JVMW3HQmMc6Pnw9ANRxDif9hkAW4qhBGJpJG6gdqA==
MIME-Version: 1.0
X-Received: by 10.13.214.84 with SMTP id y81mr2097463ywd.103.1504803413568; Thu, 07 Sep 2017 09:56:53 -0700 (PDT)
Date: Thu, 7 Sep 2017 16:56:14 +0000 (UTC)
X-Notifications: XEAAAAIxDcr8zzNnoAtSR2bobk0A
X-Account-Notification-Type: 68
Feedback-ID: 68:account-notifier
Message-ID: 
Subject: Action required: Your Google Account is temporarily disabled
From: Google 
To: jonathan.hayward@pobox.com
Content-Type: multipart/alternative; boundary="94eb2c0762b0ec2da405589c58ad"
X-Pobox-Client-Address: 209.85.161.199
X-Pobox-Client-Name: mail-yw0-f199.google.com
X-Pobox-Client-HELO: mail-yw0-f199.google.com
X-Pobox-Original-Sender: 3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@gaia.bounces.google.com

--94eb2c0762b0ec2da405589c58ad
Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes
Content-Transfer-Encoding: base64

QWN0aW9uIHJlcXVpcmVkOiBZb3VyIEdvb2dsZSBBY2NvdW50IGlzIHRlbXBvcmFyaWx5IGRpc2Fi
bGVkDQoNCg0KDQpIaSwNCldl4oCZdmUgZGV0ZWN0ZWQgdW51c3VhbCBhY3Rpdml0eSBpbiB5b3Vy
IEdvb2dsZSBBY2NvdW50DQpqb25hdGhhbi5oYXl3YXJkQHBvYm94LmNvbSBhbmQgbG9ja2VkIGl0
IHRvIHByb3RlY3QgeW91ciBpbmZvcm1hdGlvbi4NCg0KMS4gU2lnbiBpbiB0byB5b3VyIGFjY291
bnQgPGh0dHBzOi8vbXlhY2NvdW50Lmdvb2dsZS5jb20+IG9yIHRvIGFueSBHb29nbGUNCnNlcnZp
Y2UgYXMgc29vbiBhcyBwb3NzaWJsZSwgdG8gcmVhY3RpdmF0ZSB5b3VyIGFjY291bnQuMi4gVXNl
IHRoZSBTZWN1cml0eQ0KQ2hlY2t1cCA8aHR0cHM6Ly9teWFjY291bnQuZ29vZ2xlLmNvbS9zZWN1
cmVhY2NvdW50PiB0byB2ZXJpZnkgYW5kIGltcHJvdmUNCnlvdXIgYWNjb3VudOKAmXMgc2VjdXJp
dHkuDQpUaGUgR29vZ2xlIEFjY291bnRzIHRlYW0NCg0KDQoNClRoaXMgZW1haWwgY2FuJ3QgcmVj
ZWl2ZSByZXBsaWVzLiBGb3IgbW9yZSBpbmZvcm1hdGlvbiwgdmlzaXQgdGhlIEdvb2dsZQ0KQWNj
b3VudHMgSGVscCBDZW50ZXIgPGh0dHBzOi8vc3VwcG9ydC5nb29nbGUuY29tL21haWwvYW5zd2Vy
LzUwMjcwPi4NCg0KDQoNCllvdSByZWNlaXZlZCB0aGlzIG1hbmRhdG9yeSBlbWFpbCBzZXJ2aWNl
IGFubm91bmNlbWVudCB0byB1cGRhdGUgeW91IGFib3V0DQppbXBvcnRhbnQgY2hhbmdlcyB0byB5
b3VyIEdvb2dsZSBwcm9kdWN0IG9yIGFjY291bnQuDQoNCsKpIDIwMTcgR29vZ2xlIEluYy4sIDE2
MDAgQW1waGl0aGVhdHJlIFBhcmt3YXksIE1vdW50YWluIFZpZXcsIENBIDk0MDQzLCBVU0ENCmV0
OjY4DQo=
--94eb2c0762b0ec2da405589c58ad
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

@media s=
creen and (min-width: 600px) {.v2sp {padding: 6px 34px 0px;}}=
Action required: Your Google Account is temporarily disab=
led=
Hi,We=E2=80=99=
ve detected unusual activity in your Google Account jonathan.hayward@pob=
ox.com and locked it to protect your information.

1. Sign in to your account or to any Google ser=
vice as soon as possible, to reactivate your account.
2. Use the Security Checkup to verify=
 and improve your account=E2=80=99s security.
The Google Accounts=
 teamThis email can't receive replies. For more in=
formation, visit the Google Accounts Help Center.You received this mandatory email service announcement to=
 update you about important changes to your Google product or account.=
© 2017 Google Inc., 1600 Amphitheatre Parkway, Mountain View=
, CA 94043, USAet:68
--94eb2c0762b0ec2da405589c58ad--

How, besides basic social blunders on the attacker's end, can I recognize the phishing?

--UPDATE--

I started writing the note below as a comment to an answer, then realized I should have put this in the question from the beginning. I wrote:

One comment that I probably should have added: I have a main email address, christos.jonathan.hayward@gmail.com, which can send email through several addresses, including sending email from jonathan.hayward@pobox.com by logging into pobox servers. The second address has no separate Gmail account, just a passport to get in to pobox.com and send emails, if you will. I read the quoted email from the first address, which does not seem impaired in any way.

And more specifically, I've sent test emails to and from jonathan.hayward@pobox.com. All of them have gotten through uneventfully.

Answer 1

The first indication that this is not a phishing email is that there's no link included, nor are there instructions to navigate to a specific domain or URL. The email only directs you to log in to your account, which you'll do through a URL that you already know to be trustworthy.

Looking into the headers, the receiving server has added these:

Authentication-Results: mx.google.com; dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo; spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates 64.147.108.55 as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com 

This indicates that the receiving server mx.google.com has validated that the sender is who they claim to be, passing SPF and DKIM checks (as indicated by spf=pass and dkim=pass).

Additionally, this header contains header.from=accounts.google.com, telling us that when Google's receiving server got this email, the From header contained an address at accounts.google.com.

For whatever reason, Gmail appears to have changed this header to simply read Google, presumably to indicate to the user that it's confirmed to be sent by Google itself.

Conclusion: the email is legitimate.

Answer 2

It is hard to tell if the mail is fake but there are some strange things in it - which might or might due to the way you provided the source code of the mail:

• The HTML part claims to be quoted-printable UTF-8 and thus should not contain any non-ASCII characters unencoded. But, what you provided contains a clear '©' which would need to be encoded.
• The DKIM signature does not match the body of the mail. But again, this might be a problem of how you provided the source of the mail.
• There is no Message-ID given (i.e. empty). Again, this might be a problem how you've provided the source code
• Similar there is no email in the 'From: ..' header but only 'Google'. Given that other headers claim to have a successful DMARC validation this should not be possible since DMARC requires a valid From header which must match the domain of the DKIM signature.

My guess is that you actually don't provide the full and exact source code of the mail for validation, either because you've tried to remove some information or because of the way this source was provided to you from the mail program you use. In this case the source is not of much use for further analysis.

Answer 3

From: Google looks suspicious in this one. Legitimate email will have some sort or sent address, even if it is a noreply@.

Some phishing email is particularly well crafted though, so the advice I always give people is that if you receive an email with a link that you are unsure about, either:

1. Browse to the organization's site that the email claims to be from yourself. By initiating the communication, you know who you are talking to, rather than risking a possibly dodgy link in an email. In this instance, you'll know quickly if your Google account is locked out.

2. Contact the vendor. Tricky when that is google, but if it was a bank, for example, they would be able to tell you if the email was legitimate.

Hope that helps.