A phishing campaign seems to be making its way around the internet baiting users to open a 'Google Document' sent by someone they had contact with in the past.


The link appears to redirect to a legitimate Google authentication page, which attempts to authorize a rogue Google Docs application. This grants the bad guys access into the victim's Gmail and contacts without needing their password/2FA token.


SANS Analysis: https://isc.sans.edu/diary/22372

Fell for it? Here is the fix:

  • Google Security Check
  • Navigate towards the Account Permissions section.

    Google Security Check

  • Check for "Google Docs," and remove it if it exists. It's not the real Google Docs.

    Rogue Google Doc App

While it doesn't appear this was a credential harvesting attack, its best to reset your password and enable Two Factor Authentication as a preventative measure with Google Account Security settings.