Starting Wednesday, May 3, 2017, a self-propagating worm leveraging the Google Gmail service quickly spread. The worm impacted millions of Gmail users, causing significant damage to many organizations reliant upon services, such as Gmail, Google Drive, and Google Docs.
Google has taken steps to mitigate this threat by removing the malicious application from their environment, marking all of the phishing emails as spam, and blocking the malicious domains hosting the fake websites.
A Google email phishing campaign with the subject line of “[Name] has shared a document on Google Docs with you,” was sent to entice users to click on emails purportedly from someone in their Contacts list.
Clicking the link redirects the user to a fake Google account login page, in order to access a malicious Google Docs application. The malicious Google Docs application will resend itself to all of the victim user’s Contacts to spread.
All users who interacted with this phishing email, or suspected they might have, should immediately change their personal Google account passwords, and review their application permission settings to remove all permissions from the malicious “Google Docs” application.