Google Docs Phishing Campaign

By   ISBuzz Team
Writer , Information Security Buzz | May 04, 2017 03:47 pm PST

Viral phishing campaign targeting Google users and enterprise Google deployments


An aggressive phishing campaign went viral yesterday that impacted multiple Google Mail users, which includes enterprise Google deployments. The campaign involved unsuspecting users receiving an email with a Google Doc link from one of their known contacts. If the user clicks on the link and further grants access, their contacts would be leveraged to send the same phishing e-mail with a link from the impacted user account.

The attack involved squatted domains that were recently registered and hosting the malicious web app. Google permitted this app to request access to a user’s email and contacts leveraging the Google authentication service. As such, many users believed that they were responding to a request from Google, not a third party and clicked on it.

Campaign details

We saw mailinator service being leveraged to send out some of the initial spam e-mails with Google Doc links to harvested e-mail addresses. Below is a screenshot of one of the inboxes used in this campaign:


Figure 1: Mailinator inbox leveraged in one of the spams

Here is a sample e-mail that the target user will receive from this campaign:

open in docs

Figure 2: Google Phishing email with link

If the user clicks on the ‘Open Docs’ link, they will be redirected to Google’s OAuth to select their Google account:

Google's OAuth redirection

Figure 3: Google’s OAuth redirection

Once the user selects the Google account, the malicious app will request the following permissions, which to the end user looks like being requested by Google Docs:

  • Read, Send, Delete, and Manage your emails
  • Manage your contacts


Figure 4: Google OAuth permission for accessing email & contacts

The user will be redirected to a site hosting malicious web app, if they allow access. We noticed ten unique recently registered domains that were being leveraged for this activity. Each of these domains were registered on the same day – April 22, 2017. We saw more than 10,000 hits in two hours yesterday for these squatted domains.


Figure 5: Hits to squatted domains involved in Google Phishing campaign


The attacker leveraged the tried and tested method of social engineering to make this phishing campaign successful. This campaign became viral within minutes because majority of these spam e-mails were sent from legitimate Google user accounts to their known contacts making it difficult to detect.

Google was quick to resolve this issue and provided regular updates on their twitter handle (@googledocs). Zscaler implemented blocks for multiple domains tied to this campaign within minutes of the initial reports, ensuring protection for the customers. Customers leveraging strict ‘Suspicious destination’ based policies were proactively protected from this campaign.



[su_box title=”About Zscaler” style=”noise” box_color=”#336588″][short_info id=’100036′ desc=”true” all=”false”][/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x