This Is Why That Google Doc Spear Phishing Email Tricked So Many People

By bypassing security precautions the average person would have in place, attackers just managed to launch what might be fastest-spreading spear phishing campaign in history.

SAN FRANCISCO — Cybersecurity researchers are already speculating that the spear phishing campaign that targeted Google users Wednesday was one of the fastest-spreading attacks of its kind in history, as attackers used methods that bypassed the traditional security measures most people have learned over the years.

Within an hour of it first being reported at 2:30 p.m. EST, media organizations including the BBC, BuzzFeed, TechCrunch, and The Atlantic reported being affected by the spear phishing emails — messages that appear to come from a trusted source but trick users into downloading malware or giving attackers access to their accounts. By Wednesday evening, several government agencies, universities, and NGOs also reported that their employees had fallen victim to the attack.

“It worked so well because it bypassed what people who have a basic knowledge of security know not to do. Even though it is incredibly simplistic, it was very effective,” said Collin Anderson, an independent cybersecurity researcher who is studying the attack. The types of security practices most people are taught — like being wary of entering a password on a separate password screen, or enabling two-factor authentication, which requires providing multiple, separate forms of authentication to gain access to an account — would have done nothing to prevent Wednesday’s spear phishing campaign.

The campaign targeted Google users by sending an email with a link to what appeared to be a Google document coming from someone they knew. As long as the users were logged into Google, clicking on the link gave the attackers access to the entire email account, including the users’ contact list.

“It appeared almost wormlike in its behavior. Clicking the link was enough to send the email to everyone on a user’s contact list, which just spread the campaign further,” said Cooper Quintin, a security researcher at the Electronic Frontier Foundation, a nonprofit digital rights group.

For the average user, receiving an email with a link to a Google doc that seemed to come from someone they knew was already enough to get them to click. What made the attack even more nefarious, however, was that the link itself appeared perfectly legitimate. The attackers created an app within Google itself called Google Doc, so that it appeared users were just clicking on the ubiquitous app, one used by organizations across the world. Instead, the attackers were asking users to give them access to their entire contact list, as well as the ability to send, receive, and delete emails.

“Other than its wormlike behavior, it’s still unclear what the actual goal of this campaign was,” said Quintin, who added that the campaign was almost “too successful.” So many people clicked on the link, and it so quickly affected people within their address books, that people began tweeting and sharing the viral Google Doc emails within minutes. “It was so successful it probably got shut down way quicker than the attacker had hoped.”

Discovering who was behind the attacks is difficult. The emails appeared to come from the email account hhhhhhhhhhhhhhhh@mailinator[.]com; Mailinator is a public, disposable email service. Paul Tyma, one of the founders of Mailinator, told BuzzFeed News that Mailinator likely provided a “dumping ground” for their attack, but that they did not read any email in the account as the inbox was entirely overwhelmed.

“We saw tens of thousands of emails come into that inbox and promptly shut it off. Mailinator inboxes only hold 50 emails at once anyway, so emails were overwriting each other at a high rate,” Tyma wrote BuzzFeed News in an email. A search through the Google app store shows that the fake Google Doc app was created by an email account named As of Wednesday afternoon, the email account did not appear to be working.

Anderson said that at least some of the problem lay with Google.

“Google allowed for their company name to be misappropriated to trick people in this case,” said Anderson.

A spokesperson for Google said in a statement that the company has disabled the accounts where the hack originated.

“We’ve pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail,” the statement read. Google did not comment on who was behind the attack or how many people were affected.

By Wednesday afternoon it appeared that the link used by the attackers could no longer be accessed and was no longer affecting new users. However, the method used by the attackers could be replicated.

The cybersecurity firm Trend Micro noted that it's not the first time this type of spear phishing campaign has been used. The group of Russian hackers known as Fancy Bear, who have used spear phishing emails to try to meddle in the US and European elections, used a similar method according to a Trend Micro report.

The attacks worked by sending out an email to Google users that encouraged them to install a security application called “Google Defender.” Once a user clicked “allow,” they were effectively handing over what is known as OAuth protocol, which was designed by Google to allow third-party applications access to internet accounts through the use of tokens. While Google developed the protocol for convenience — there are many trusted apps that use OAuth responsibly — it appears it is now being leveraged by attackers as well.

In a blog post on Talos Security, a security intelligence and research group, cybersecurity researchers wrote that, “Because of the success of this attack, we are likely going to see phishing attacks of this nature for the foreseeable future."

Topics in this article

Skip to footer