According to online reports — in particular, a detailed user thread on Reddit — clicking on an emailed share link, purportedly from a known source, was taking users to a site that asked permission for a fake app calling itself “Google Docs” to access their accounts. If they agreed, the app would then send additional copies of the original email to the users’ contacts.
— Zeynep Tufekci (@zeynep) May 3, 2017
Earlier reports suggested the attack was a phishing scam potentially aimed at harvesting personal information and maybe even Google login credentials. But in a statement late Wednesday, Google said that while the campaign accessed and used contact information, no other data was apparently exposed.
Google said it was able to stop the campaign in about an hour. It has disabled offending accounts, removed fake pages and updated its Safe Browsing feature, which issues warnings when users visit dangerous sites.
We’ve addressed the issue with a phishing email claiming to be Google Docs. If you think you were affected, visit https://t.co/O68nQjFhBL. pic.twitter.com/AtlX6oNZaf
— Google Docs (@googledocs) May 3, 2017
One telltale sign for identifying the spam email: It appears to be directed to the address firstname.lastname@example.org, and is only blind copied to the recipient.