Attackers Use Domain Fronting to Tunnel Malicious Traffic via Google Meet, YouTube and Chrome Update Servers

Attackers have discovered a way to exploit Google’s core services, Google Meet, YouTube, Chrome update servers and more using a technique called domain fronting.

By making their malicious traffic appear as legitimate connections to high-trust domains, adversaries can tunnel data through Google’s backbone infrastructure without raising suspicion.

This research builds on previous demonstrations of tunneling through web conferencing apps, showing how the same concept applies to the very fabric of the Internet.

How Domain Fronting Works

Domain fronting leverages the discrepancy between the hostname announced in the TLS handshake (via Server Name Indication, or SNI) and the hostname inside the encrypted HTTP Host header.

When a client connects, the SNI field publicly indicates a benign domain such as meet.google.com so network monitors treat it as safe.

Inside the encrypted session, however, the Host header specifies an attacker-controlled domain hosted on Google Cloud Platform.