This attack report covers a very sophisticated phishing scheme that came in the form of an invitation to open a Google Doc.

Here's how it looked to the end-user: The potential victim receives an email sent from a known contact's legitimate Gmail account that invites them to open a Google Doc. When the recipient clicks on the link, they are redirected to Google's login page and asked to authorize "Google Docs", which is, in fact, a malicious script requesting API access to the user's account. Once authenticated, the script sends the email out to the entire contact list.

Were you a victim of this attack?

Check your company's accounts to

see who was compromised

Summary of the Attack

To-date, this is the most successful attack against Gmail in terms of number of people that were attacked and number of accounts compromised. Here is what was so unique about this phishing attack that made it so successful:

1. The hackers created an app for Gmail that is using a misleading name: "Google Docs". They were 'phishing' not a person but an app.

2. The malware was self propagating and acted like a worm: Receivers were getting emails from people they know, compromising their account and then an auto-email would go to everyone they ever communicated with

3. The Google login page was real. So, users weren't giving their credentials to the attackers but approving their app's access to their Gmail.

Anatomy of the Email

The message is sent from a compromised user's Gmail account, so it arrives in the inbox as completely legitimate email, complete with the sender's full name, email address and their Google account photograph. Because the recipient was a known contact, it is very likely that they had shared multiple emails, files and Google documents in the past.

The link itself—should the user decide to check before clicking—looks innocent because it a a perfectly legitimate Google URL. Even a sophisticated user who might copy and paste the link into the browser could be fooled because it points to Google's own servers.

The only indication that a user might have that this is not a legitimate email is the fact that their email address was in the BCC: field and the message was mailed to a strange mailinator account "hhhhhhhhhhhhh". This is concerning because the attack could have easily sent it directly to the user and used a much more convincing address. Every other aspect of the email was 'legitimate'.

Anatomy of the Attack: OAuth API.

This attack is a more sophisticated version of the so-called "Google Defender" attack reported last week by one of our partners, Trend Micro, and attributed to Pawn Storm (Fancy Bear), the same group that compromised the DNC and Hillary Clinton gmail accounts last year. While the "Google Defender" attack targeted a few specifically-chosen individuals, this attack was much more widespread, sending emails out by the hundreds of thousands. It is possible that this worm-like behavior was a coding mistake.

Unlike most phishing attacks, which try to fool users into giving up their password, this attack used Google's own API to create an invisible connection to the user's account to capture contacts and send emails by remote control. While we are not certain that this attack was propogated by the same group, the methodology was the same.

When the user clicks on the "Open in Docs" link, they are taken to Google's OAuth authentication screen. Because the malicous app used the name "Google Docs", it was easily missed by users that are used to authenticating to Google every day. Only if they clicked on the name of the app would they see that the developer was actually Eugene Pupov and "Google Docs" was actually a PHP script hosted on docscloud.info.





As soon as the user clicked "Allow", the malicious script connected to the victim's Gmail account, harvested the contact list and sent emails to everyone in just a matter of seconds. Because of he nature of an API connection, the attacker could maintain full access to the account even if a suspicious victim changed passwords and looked for suspicious logins.

Since 4:40 EDT, Google has disabled all the sites and applications related to this worm, but we must assume that the attacker has the full list of harvested email addresses. This is why we are offering a free audit to anyone that mentions this blog to determine if one of your company's users might have been compromised by this attack.

The Avanan Vantage Point

The Avanan Cloud Security Platform had a unique visibility into this attack as it happened.

First, Avanan protects the cloud-based email accounts of both Gmail and Office365 users using multiple security tools from the industries' most trusted names in malware, phishing and URL reputation. We also look for behavior anomalies both within a single company's account as well as across multiple customers, learning and identifying attacks that span multiple accounts.

Second, unlike inline Mail Transfer Agent (MTA) proxies that can only see inbound email as it arrives, Avanan monitors inbound, outbound and internal email within the organization. Because this attack was prone to spread instantly within an enterprise, a traditional SMTP-based mail gateway would likely be blind to the internal spread. (See the video below.)

Third, Avanan has full visibility into every email that a user has sent and received, with the abilty to go back in time to identify compromised accounts and retroactively quarantine emails right from the user's inbox. Just hours after the attack, we were able to create a new account for a company and scan all their previous emails to identify potentially compromised users.

Fourth, Avanan monitors and protects the full G Suite environment, including all external applications that connect via the Google API. This is how we found that is possible for a company to be compromised even if no one in the organization received an email.

The Incoming Attack

We saw the attack in the inboxes of most of our customers, whether or not they were Gmail users. We saw that a single external sender could send dozens of emails to multiple users in our customer's account within the same second. At this rate, we extrapolate that a single compromised account could blast an email to all of its contacts within 20 or 30 seconds.

We also found instances of Gmail accounts that had been compromised, even when no one in the organization had received the malicious email. By looking at attached applications across the organization, we found a user that had installed the app by clicking on the link within her personal university email while logged into her corporate google account.

The Malicious Code

We have learned a great deal about this attack through analysis of the propogation code. We suspect that the attacker did not mean for it to spread so far so fast. When filtering the contact list we see that he attempted to divide them into two groups:

1. contacts matching @gmail 2. contacts matching "google", "keeper" or "unty"

Perhaps he had intended to specifically target organizations that matched 'keeper' and 'unty'. We don't know, but we are sure that he did not intend to attract this level of attention. We can assume that this is not the first, nor the last time someone will attempt this type of attack. We can also predict they will avoid the mistakes that were made this time. The TO: field will be personalized without the tell-tale BCC. The emails will be sent low and slow. They will be more specifically targeted.

What can you do?

Once again, we are seeing the sophisticated tools of state-sponsored hackers loose in the wild. This is why Avanan has partnered with over 70 of the most advanced security tools in the industry to provide the most complete defense-in-depth security stack possible for defending SaaS accounts.

If you would like to see if your company has been compromised by this or any previous attack, we are offering a free audit to readers of this blog. We will scan your Google or Office 365 account for phishing, malware, malicious APIs or other potentially compromising threats from today, yesterday or even last year.