Google Docs Phishing Campaigns Targeting MS-ISAC Members

 On May 3, 2017, the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reporting from five states regarding a Google Docs phishing email campaign. The details of the attack are as follows:

·         The email body states “[name] has invited you to view the following document:” and includes a link to “Open in Docs”. The link opens to a legitimate Google login page.

·         Once the recipients enter their credentials or select an account, a permissions box for a fraudulent application hosted at hxxps://googledocs[.]g-docs[.]win requests access to the user’s address book and email.

·         Once the victim clicks “Allow” this provides the attacker access to their email account and address book but not their calendar. The attacker can then send phishing emails to other targets from the compromised account.

 According to open source reporting, individuals and several private sector entities are receiving these emails as well, and this campaign is not specifically directed at SLTT governments. It is likely that the use of address books results in individuals in similar industries receiving emails from colleagues in their sector. For this reason, many of the phishing emails reported to the MS-ISAC appear to be sent from addresses belonging to state, local, tribal, and territorial (SLTT) government and educational entities. If you receive similar emails, do not click on any links and delete the email immediately.

 Per a trusted third party, Google is aware of the campaign and has identified it as an Oauth exploit. Google has blocked the sender and users should receive the Google 404 error if they click on the link. Google is in the process of shutting down the sender's site.


We recommend the following general best practices, to limit the effect of phishing emails and scams on your organization:

1.      Remind users not to open suspicious emails or attachments, or follow suspicious links, as they may contain malware.

2.      Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.

3.      Adhere to the principal of least privilege.

 If a user granted permissions to their account, these permissions can be revoked at the “Connected Apps and Sites” page of Google’s Account Settings. The user’s password should also be reset.

 If you experience similar targeting, please report the email to the MS-ISAC SOC at

 The MS-ISAC is interested in your comments - an anonymous feedback survey is available at: