Widespread Google Docs Phishing Email
Yesterday afternoon, multiple sources began reporting on a widespread phishing campaign involving emails containing a link that prompted users to open a document in Google Docs. The body of the email stated “[name] has invited you to view the following document:” and included a blue, hyperlinked button to “Open in Docs.” If the user clicked the link, it opened to a legitimate Google login page and a permissions box appeared that requested the user "Allow" access to a fraudulent application hosted at hxxps://googledocs[.] g-docs[.]win. If the user clicked the "Allow" button, the malicious actor was granted access to the user's email account and address book, which then allowed the actor to send the same phishing email to any or all of the victims' contacts. It is unclear who was responsible for this campaign, or what the intent was, but it is clear that many users received the emails. Due to the compromise and use of victim's address books to propagate the email, users may have received the email multiple times from legitimate contacts and not from untrusted senders, thereby increasing the likelihood of falling victim to it. As of 5:15pm EDT yesterday evening, Google announced that they had disabled the offending accounts and shut down the fraudulent site. If a user clicked to allow the permissions, Google recommends visiting g.co/SecurityCheckup and removing apps you do not recognize. If users click the link today, they should receive a Google 404 error, with no reason for concern. The NJCCIC recommends organizations inform all users of this threat and use the opportunity to remind them to never click on links or open attachments in unsolicited emails, to always look for indicators of suspicious or malicious emails, and think twice before granting permissions or access to third-party applications.