New insidious Google Docs phishing scheme is rapidly spreading on the web

Pierluigi Paganini May 04, 2017

Don’t click Google Docs link! A Google Docs phishing scheme is quickly spreading across the Internet targeting a large number of users.

Did you receive an unsolicited Google Doc from someone?

First, do not click on that Google Doc link embedded in the email you have received and delete the message, even if it’s from someone you know.

A Google Docs phishing scheme is quickly spreading across the Internet targeting a large number of users and employees at multiple media outlets and organizations that Gmail.

Some of the websites associated with this campaign appear to have been shut down.

A large number of users are receiving a very insidious OAuth phishing email, which informs the recipient that sender “has shared a document on Google Docs” with the,

Google Docs phishing



Once the recipient clicked the link, he will be redirected to a page which says, “Google Docs would like to read, send and delete emails, as well access to your contacts,” asking the victim’s permission to “allow” access.

Google Docs phishing
If the user will allow the access, the attackers would get access to the recipient’s Gmail account without providing any Gmail password.

At this point, the attackers have the key of your kingdom and anything linked to the compromised Gmail Accounts is at risk.

Once the victim gives the attacker’s applications the permissions to manage his email account, it automatically sends same Google Docs phishing email to everyone on the contact list on behalf of the victim.
The attack technique used in this Google Docs phishing scheme was also associated recently with and Pawn Storm ongoing espionage campaign. The cyber spies are abusing OAuth, presenting a legitimate Google dialogue box requesting authorization, then asks permission for access to “view and manage your e-mail” and “view and manage the files in your Google Drive.”

Google also already started blocking any malicious apps leveraging this subtle trick.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said a Google spokesperson in an email.

“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

“There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools / campuses,” explained Christopher Boyd, malware intelligence analyst at Malwarebytes, today.

“This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there, or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a ‘look at the cute cat pic’ fashion.”

If you have already clicked on the phishing link and granted permissions you can remove them for the bogus “Google Docs” app directly from your Google account.

Below the procedure to remove permissions:

  1. Go to your Gmail accounts permissions settings at and Sign-in.
  2. Go to Security and Connected Apps.
  3. Search for “Google Docs” from the list of connected apps and Remove it.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, Google Docs phishing)

[adrotate banner=”13″]

you might also like

leave a comment