A new phishing attack has appeared in inboxes around the world that masquerades as an email contact sharing a Google Doc.
The emails appear to originate from a legitimate account, with the email addressed to firstname.lastname@example.org and dozens of contact email addresses blind carbon copied (bcc) in.
Upon clicking the “Open in Docs” button on the standard Gmail pop-up, users are invited to click on the link to open the document, which also redirects them to a legitimate Google sign-in page.
Users are then prompted to select one of their Google accounts using Google’s normal sign-in system and asked to authorise an app called “Google Docs” to manage emails.
However, the app called “Google Docs,” which requests permission to read, send, and delete emails, is not a real Google app.
Clicking the link authorises the attack, and a user’s account will then be hijacked and used as an infection vector, repeating the same behaviour to every contact a user has ever emailed.
It also bypasses 2 factor authentication, as well as login alerts.
Users that have clicked “allow” have fallen victim to the campaign.
Update: Google patched this flaw in about an hour after it was found.