Last week, another major phishing campaign impacted over 1 million Gmail users, taking advantage of legitimate 3rd party sharing features to sneak past security filters. We reported on another Google phishing attack back in early 2017, but this one uses even more sophisticated tactics. Another attack occurring so soon shouldn’t be surprising, as phishing attacks increased by 65% in 2016, with just under 100k phishing attacks getting reported every month.

Number of phishing attacks from 2015-2016. The number of phishing attacks in 2016 was higher than any previous year since the Anti-Phishing Working Group (APWG) began recording in 2004.

Google Doc Phishing Email

How it Works

  • User receives an email within their primary inbox with the subject line “[sender] has shared a Document on Google Docs with you”
  • The user knows the sender (and has them in their contacts) so they open the malicious email
  • The email contains a link that leads the user to another page where they grant permission to a fake “Google Docs” application
  • Without ever typing or specifically “giving up” their credentials, the attacker now has permission to read, write, and access the victims email (including contacts)
  • The Google Doc phishing email is then sent to all of the users contacts, continuing the cycle and gaining access to more accounts

By granting these permissions, victims basically hand over complete access to their email, and although there are no reports of this yet, cybercriminals could view messages and collect confidential information, to later sell on the dark web.

Why it Works

The Google Doc phishing attack works particularly well because it utilizes legitimate sharing features within Google. The icons and messaging within the email are familiar to users, so there is very little evidence that the email isn’t real. Plus, since the phishing attack infiltrates email accounts to continue spreading the email, the sender addresses are legitimate and Google places the email into the primary inbox.

The link within the email doesn’t take victims to a bogus or counterfeit Google login page; the bad guys have manipulated 3rd party sharing features to work within the Google Drive family of applications undetected. Users don’t even actively give up their credentials, victims are just giving a bogus app access to their account. The Google Doc phishing scam takes advantage of the fact that people can create non-Google web applications with misleading names. This particular weakness has been known as a theoretical possibility for several years.

All of this standard-looking behavior made it difficult for the vast majority of email filtering solutions to detect the attack. Using signature-based phishing indicators, there is nothing for email filters to flag. From their view, the email is coming from a legitimate sender and contains a safe sharing link.

Phishing Clues

Even though this attack uses complex methods there are two clues that uncover this Google Doc phishing attack.

    1. Strange email address: If users receive this phishing email, they might notice that the email isn’t actually directly sent to them, but that they are BCC’d. The direct recipient of the email is an address that starts with “hhhhhhhhhhhhhh” and ends with “”. This domain comes from a website that creates temporary or disposable email addresses.

  1. Developer email: When users get to the application permissions page, they are able to view who the developer of the counterfeit “Google Docs” application is. The developer email is, “” clearly not the real Google Doc application.

What now?

If you have already fallen for the Google Doc phishing scam, there are some things you can do to protect yourself after the fact.

  • Go into your Google Account Permission settings and revoke permissions for the fake Google Docs app.
  • Set up two factor authentication so if the hacker attempts to access your account again they will be unable to do so.

Luckily, Google has now taken precautionary steps to stop this attack by deleting the fake Google Docs application so this particular threat has been stopped for now. However variations are bound to pop-up—possible setting the stage for even more compelling and dangerous phishing attacks.

Advanced Phishing Protection

Although this attack got by the vast majority of email security systems, it was detected and isolated immediately by Vade Secure’s global threat centers. Our systems are fed with massive data on over 400 million email boxes and powered by artificial intelligence.

Vade Secure’s email security solution spotted and isolated the Google Doc Scam starting with the first email that hit our system.

This predictive email security system can detect both known and unknown threats. Our advanced phishing protection uses 8-layers of protection to determine if emails are legitimate, before letting them into your employees’ inboxes.

The real-time worldwide scanning solution uses:

  • Artificial intelligence
  • Heuristics
  • Counter measure detection
  • Machine learning
  • Real time reputation
  • Future behavior projection
  • Webpage exploration
  • Domain name exploration

Employee education and training just isn’t enough anymore; support your employees efforts with Vade Secure’s email security suite to defend against ransomware, spear phishing, and zero-day attacks.

Want to learn more about our solution? Contact us today to schedule a demo.