Cofense - Security Awareness Training & Email Threat Detection

Google Doc Phishing Attack Hits Fast and Hard

Share This Article

Google Doc Campaign Makes a Mark

In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the website.

Example of PhishMe Triage in Fig 1:



Example of Mailinator Phishing Email in Fig 1-2:

Fig. 1-2

“Open in Docs”

The highlighted portion above can be any of the following:


When our team attempted to access these URLs they were no longer functional. When we attempted to visit these sites, we received a Google Message indicating that to protect users they are unable to process any requests to these URLs as seen in Fig. 1-3.

Fig. 1-3

At the time of this write-up, it appears that Google has disabled the OAuth client that was being used for this campaign as seen in Fig. 1-4.

Fig. 1-4

However, prior to the Google cleanup several security teams, such as SANS Internet Storm Center, were able to provide a further look into the URLs:

PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for unexpected emails that contain subject lines referring to shared documents when not expected, and email bodies that ask you to visit a link to open a document you’re not expecting. PhishMe Simulator customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.