Google Docs Malware

There is currently a new phasing email going around which appears to be from a contact you know, the email invites you to access a Google Doc, once clicked you give the attacker permission to access your gmail account and then they can email your contacts the same phishing email to spread.

How do I know if I’ve been affected?

If you clicked “Allow”, you’ve been hit. If you didn’t click the link, closed the tab first, or pressed deny, you’re okay! The app may have removed itself from your account, and may have deleted the sent emails.

What do I do if I’ve been affected?

  1. Revoke access to “Google Docs” immediately. It may now have a name ending in apps.googleusercontent.com since Google removed it. The real one doesn’t need access.

  2. Try and see if your account has sent any spam emails, and send a followup email linking to this post / with your own advice if so.

  3. Inform whoever sent you the email about the spam emails, and that their account is compromised.

  4. Block messages containing the hhhhhhhhhhhhhhhh@mailinator.com address from inbound and outbound mail gateway/spam service.

  5. Locate Accounts in Google Admin console and revoke access to Google Doc app. It may now have a name ending in apps.googleusercontent.com since Google removed it.

What are the effects?

All emails have been accessed, and the spam forwarded to all of your contacts. This means they could have all been extracted for reading later. Additionally, password reset emails could have been sent for other services using the infected email address.