According to Blake Barnes, Google’s own vice president of product for Gmail, “3 billion users rely on Gmail to connect and get things done,” while Google Drive has an estimated one billion active users. I can exclusively reveal that an architectural flaw in the integration between the two services poses a significant security threat to “nearly every individual with a Gmail account.” A new report has confirmed, with a proof of concept, that attackers can leverage Gmail and Google Drive as a high-trust malware delivery infrastructure by delivering malicious attachments that receive a misleading and dangerous “scanned by Gmail” seal of approval. Here’s everything you need to know, including the response from Google itself.

Scanned By Gmail Doesn’t Provide The Attachment Security You Might Think It Does

The most popular free web service on the planet, Gmail, has a lot of security positives. And, oh boy, does it need them as it is under persistent attack from hackers and scammers alike. Thankfully, both Gmail and Google Drive have mechanisms in place to prevent them from being used to distribute the type of malicious files often used in such attacks. However, as Ben Ilkashi, a security researcher at Pentera Labs, exclusively shared with me, it is possible for an attacker to exploit these to devastating effect. “What if I told you that you could trick a machine into displaying your malicious attachment as completely safe?” Ilkashi said. “What if I told you that you could get Google itself to sign off on your phishing payload and effectively achieve the holy grail of phishing attacks?” That grail is absolute and unquestioned credibility. Trust on steroids, if you like.

Ilkashi’s research , now published by Pentera Labs following a 90-day responsible disclosure period, has highlighted an architectural misalignment within Google’s unified security framework that enables malware that is “otherwise explicitly blocked by Gmail’s attachments scanner” to be hosted on Drive and delivered to recipients alongside a “Scanned by Gmail” label of trust. First reported through the Google Bug Hunters program on December 14, 2025, Google confirmed that it was a duplicate of an “internally tracked issue.” On January 22, Google’s Trust and Safety unit confirmed that “no fix timeline was available,” according to Ilkashi, and the decision regarding disclosure timing was up to Pentera Labs.

Google’s Serious Gmail And Drive Security Gaffe Explained

This serious Google security gaffe came to light when Ilkashi was initially researching the malicious use of Scalable Vector Graphics as a phishing campaign payload. “As part of my payloads testing against popular providers,” Ilkashi explained, “I encountered an attachment block in Gmail.’ This was accompanied by a ‘virus detected’ label when attaching the file, and Gmail prevented the payload from being sent. Google Drive also has a scanning mechanism marking malicious files as ‘Flagged for abuse’ and preventing anyone aside from the author from being able to download them, alongside a warning interstitial that alerts users before downloading potentially harmful file types. That’s the good news, and you know what’s coming next, don’t you?

The bad news is that Ilkashi was able to send a malicious SVG sample, already flagged by Gmail as ‘virus detected’ and blocked from being sent as a result, by using Google Drive as a hosting platform. “Contrary to Gmail’s detection,” Ilkashi explained, “Google Drive did not classify this file as malicious.” Yes, you read that right: despite already being flagged as a virus, Gmail’s own Drive attachments feature allowed it to be uploaded to Drive and configured to be accessible to anyone possessing the share link. This is an architectural misalignment between the scanning mechanisms, and it’s something that poses a danger to almost all users of Gmail as a result. A new email could be composed, including a now-known-to-be-malicious file link from Drive, but Gmail did not scan it again and instead just sent it as if nothing was wrong. Complete with a misleading scanned by Gmail label.

The issue appears to be that Gmail grants implicit trust to files that originate from Google Drive, assuming that because it is within the internal ecosystem other is pre-vetted and, as such, Gmail then bypasses its standard verification steps “allowing the malicious payload to inherit the 'safe' status of its storage container,” Ilkishi said.

Google Responds To Gmail Attachment Security Disclosure

I reached out to Google, and a spokesperson provided the following statement: "Protecting Google Workspace users is our top priority. Gmail and Google Drive automatically block the vast majority of malicious files—including dangerous executable attachments—before they can ever reach an inbox." However, as the Pentera Labs research, along with a fully working proof of concept, shows, this simply isn’t good enough when attackers are able to exploit user trust and disguise malicious payloads behind the “Scanned by Gmail’ facade of legitimacy.

Google has said it is actively updating the user interface to clarify how safety checks are displayed when files are shared via Google Drive links, giving users a clear and accurate security context at all times. Google also said that Gmail’s “built-in defenses successfully prevent users from sending or receiving dangerous file types, such as executables, as direct email attachments,” stating that “this fundamental security boundary has not changed and remains fully operational.” Which is great, apart from the fact that the issue as outlined by Ilkashi and Pentera Labs remains exploitable. The proof of concept is valid, and I have seen this in action myself, it utilized a crafted ransomware executable that employs an xor-based encryption as a payload. “For the purpose of this demonstration,” Ilkashi said, “the ransomware will search and encrypt a file called encrypt-me.txt in the same directory. However, this could be easily modified to initiate an infinite end-to-end attack vector, utilizing Google's products as a credible delivery mechanism.”

This “is not an isolated or theoretical edge case, but a reproducible architectural gap,” Ilkishi warned, adding that if it can be discovered through security analysis, “it can also be identified and leveraged by motivated adversaries.” Until Google addresses this security flaw, all Gmail users are advised to treat emails containing Google Drive links or attachments as potentially dangerous, regardless of any “Scanned by Gmail” label.