Early this afternoon, a new type of phishing attack popped up, targeting Google Docs/Gmail users and spreading like crazy. Well-disguised and infuriatingly subtle, just a click or two (on what was an actual Google-hosted URL, no less) handed some mystery attacker the ability to read your Gmail and forwarded the phishing attack to everyone you’d ever emailed.
The attack was simple, but sinister. You receive an email. It’s from someone who has emailed you before, and happened to have you in their contacts. They were “sharing a document” with you. Click the button to open the document, and you’d see a seemingly innocent page — one hosted by Google, no less! It wouldn’t ask you for a password, and it already listed all of your accounts. The page was asking you to give a “Google Docs” app permission to read your email and contacts.
The trick: That “Google Docs” app wasn’t actually Google Docs at all, just one somehow masquerading under the name.
Even if you were generally dubious of these sorts of things, it checked a lot of the right boxes. But click “allow” and bam — the mystery attacker now had inbox access and was fwd’ing the bait to everyone in your contact list.
Google says they’ve stopped the attack for now, and are “working to prevent this kind of spoofing from happening again.”
Here’s their full statement, via the Google Docs Twitter account:
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
(1 of 3) Official Google Statement on Phishing Email: We have taken action to protect users against an email impersonating Google Docs…
— Google Docs (@googledocs) May 3, 2017
(2 of 3) & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team…
— Google Docs (@googledocs) May 3, 2017
(3 of 3) is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
— Google Docs (@googledocs) May 3, 2017
In other words, this specific attack is stopped… but now that the example has been set, copycats could potentially follow suit. Google is working on blocking the overall concept… but in the meantime, I’d still suggest being super wary of unsolicited/unexpected Google Doc shares.
