A large scale phishing attack is underway. The attack uses a convincing Google Drive shared document email to get users to click a “Open in Docs” button. Upon doing so users are asked to authorize app that gains access to your email and address book.

The design is very similar to the new Google design, but there are a few things you can look for:

  • This attack seems to come from from “hhhhhhhhhhh@”
  • The original email does not meet current share email design
  • The authorize link ends in “.win”
  • The authorize link is not a legitimate google domain

So if you have an email that looks like the image below, delete it. If you’ve clicked and authorized the app, instructions on cleaning your account will be published below shortly.

Google Drive Phishing Email Example

UPDATE: The Verge has reported that the app may have been de-authorized by Google, but to be safe you can follow the instruction below to double check if your account has the app authorized.

Update 4:15pm: Google has tweeted they are “investigating”

Update 5:50pm: Official statement from google on twitter:


The fix…

If you’ve already clicked the button and authorized the app follow the following instructions to remove the malicious app and protect your account.

Remove the app from your connected apps and sites

  1. Access your account app permission list: https://myaccount.google.com/permissions
  2. Look for an app called Google Docs with an Authorization Date of “Just Now” or within the last few hours.
    Authorized App
  3. Click “Remove”

Change your password

As always, moments like these are a good time to reset your password, but only do this after de-authorizing the app. Since the app has access to your email it’s good practice to do this second after the app is de-authorized.

  1. Visit your account preferences: https://myaccount.google.com/security#signin
  2. Click “Password”
  3. Verify your account (and 2-step authentication if you have it. If not, this is a great time to implement it.)
  4. Change your password