> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.