Approximately a million Google users were impacted by the attack before Google shut down the application and took the appropriate remediation actions. In response to the attack, Google released the following statement:

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

Google followed that with:

We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.

The phishing scam was simple in execution but sophisticated in design. The attackers managed to create an application called “Google Docs” that bypassed Google’s app vetting process. The email itself looked eerily similar to what a legitimate Google Docs invite email would look like, including the button design.

Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu — Zeynep Tufekci (@zeynep) May 3, 2017

Clicking the button took users to an actual Google page that was served from Google’s servers. This was followed by another genuine Google OAuth permissions page. The attackers even used the official Google Docs logo to trick their victims. Vigilant Google users may have noticed that when clicking the down arrow next to the Google Docs name, they would see the developer information, which wasn’t Google but a random person.

What’s the fallout?

Google sprang to action within an hour, shutting down the OAuth request and automatically revoking the permissions of the fraudulent application across all user accounts. According to Google, the app only accessed a user’s contact emails to further spread out the phishing email, raising the question: what was the purpose of this attack?

Phishing attacks may come in many forms, but they usually have a goal. In most cases, the attacker attempts to gain access to the login credentials of users, which can be sold on the Darknet for a monetary gain. In other cases, (DNC hack) the underlying goal may be to inflict political damage.

If Google is accurate in its assessment, then this attack seems like an outlier in that there isn’t a clear purpose behind the attack. While the attackers now have millions of email addresses, given the prevalence of exposed email addresses, there may not be a lot of value in them alone. However, if the attack was targeted at specific individuals (with the rest of the victims becoming collateral damage), as some have suggested, then this could have wide-reaching ramifications.

What can you do to protect yourself?

While Google has already removed the malicious application from their users’ accounts, there are a few steps organizations can take to help prevent the damage from similar attacks in the future: