On Wednesday, May 3, Google identified, investigated, and resolved an email phishing campaign that affected some accounts in our domain. This issue was addressed within approximately one hour from when Google became aware of it. Please note that we have already taken action to protect all users, and no further action is necessary. To assist you in understanding what happened and providing all users with information on the importance of email security, we are sharing details on how the campaign worked and how we addressed it.
The affected users received an email that appeared to be from a contact offering to share a Google doc. Clicking the link in the attacker’s email directed the user to the attacker’s application, which falsely claimed to be Google Docs and asked for access to the user’s account. If the user authorized the application, it accessed the user’s contacts for the purpose of sending the same message to those contacts. This access only retrieved contacts and sent the message onward—customer data such as the contents of emails and documents were not exposed.
Upon detecting this issue, we immediately responded with a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.
Google has taken the following steps to protect all users:
- Disabled the offending Google Accounts that generated the phishing link
- Revoked any access that the affected users authorized to the attacker
- Disabled the malicious projects and apps that sought access
In addition, Google is taking multiple actions to combat this type of attack in the future such as updating our policies and enforcement on OAuth applications, updating our email filters to help prevent campaigns like this one, and augmenting the monitoring of suspiciously behaving third-party apps that request consent from our users.
Immediately upon notification that there was an issue (we received the phishing attempt as well), we began taking steps to limit the access and impact. We started by addressing the email itself. We began controlling that email so that it did not go to everyone (even though we were on the quickly by human standards, it takes only microseconds for email to be sent). We also began addressing the accounts that we knew were affected. (*Please note that for security purposes, we don’t share all of the details of actions that we take).
Technology has become an essential part of our lives. We all rely on email, shared documents and lots of electronic resources. It is up to all of us to be careful and mindful of what we do on the Internet. We should always think twice before granting access to Applications (many users did think twice and did NOT grant access). Unfortunately, we will probably see more attempts to steal our information. Please be mindful and follow good password policies.
You may have seen this attack on your personal (or other) Google accounts. There is no action that you need to take at this point. However, it is a good idea to occasionally change your password. It is also important not to use the same password on multiple sites.