Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Google Docs Phishing Campaign

May 03, 2017 - 3 min read


An aggressive phishing campaign went viral earlier today that impacted multiple Google Mail users, including those in enterprise Google deployments. The campaign involved unsuspecting users receiving an email with a Google Doc link from one of their known contacts. If a user clicks on the link and further grants access, that user's contacts would be leveraged to send the same phishing email with a link from the impacted user account.

The attack involved squatted domains that were recently registered and hosting the malicious web app. Google permitted this app to request access to a user’s email and contacts leveraging the Google authentication service. As such, many users believed that they were responding to a request from Google, not a third party, and clicked on it.

Campaign details

We saw the Mailinator service being leveraged to receive the spam emails with Google Doc links to harvest email addresses of the victims who fell for the campaign. Below is a screenshot of one of the inboxes used in this campaign:


Figure 1: Mailinator inbox leveraged in one of the spam emails

Here is a sample email that the target user would receive from this campaign:


Figure 2: Google phishing email with link

If the "Open the Docs" link is clicked, the user will be redirected to Google’s OAuth to select the Google account:


Figure 3: Google's OAuth redirection

Once the user selects the Google account, the malicious app will request the following permissions; to the user, the requests looks like it has come from Google Docs:

  • Read, send, delete, and manage your emails
  • Manage your contacts


Figure 4: Google OAuth permission for accessing email and contacts

If access was allowed, the user will be redirected to a site hosting a malicious web app. We noticed 10 unique, recently registered domains that were being leveraged for this activity. Each of these domains was registered on the same day: April 22, 2017. We saw more than 10,000 hits in two hours earlier today for these squatted domains.


Figure 5: Hits to squatted domains involved in Google phishing campaign


The attacker leveraged the tried-and-true method of social engineering to make this phishing campaign successful. The campaign became viral within minutes, because the majority of these spam emails were sent from legitimate Google user accounts to their known contacts, making detection difficult.

Google was quick to resolve this issue and provided regular updates on its Twitter handle (@googledocs). Zscaler implemented blocks for multiple domains tied to this campaign within minutes of the initial reports, ensuring protection for customers. Customers leveraging strict Suspicious destination-based policies were proactively protected from this campaign.




form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.