Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Digibase Security Advisory - Google/GMail/Docs Account Phishing Scheme
Keywords: Google, Google Docs, Phishing, Accounts, GMail
DBSA ID: 2017-05031
Regarding: Google/GMail Account Phishing Scheme
Date: 2017 05 04
Last Modified: 20170504003147 by Kradorex Xeron
Who should take note: All Google Users, Associated Contacts and G-Suite Administrators
Rationale: Users must be increasingly vigilant to avoid being vulnerable.
Rationale: Successful exploitation may result in full account compromise.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All Google Users are potential targets.
Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services.
A phishing vulnerability has been discovered where due to to how Google Accounts is designed, an unauthorized third party may impersonate a user's known contact and may send a crafted malicious request to the target that may compromise a user's account through a malicious third party app. Once compromized, the app, hosted on the attacker's servers begins scanning the user's contacts and sending them like malicious requests.
As this phishing scheme uses Google's built-in authentication systems, users may not detect this scheme as phishing.
Three common points for this scheme involve the app identifying as "Google Docs", domain names including "docscloud"/"googledocs"/"gdocs" and the requests are addressed to "email@example.com" with the recipient in the BCC line. However this should not be solely relied upon for detection as there is evidence that this operation is mutating to use other identifiers.
Users are advised to ignore (and NOT reject), then delete all requests that they are not anticipating and verify through secondary separate contact means any requests they are anticipating.
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.
Those who have been exploited are advised to visit https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions.
Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to authorize or manage permissions.