The Google Docs Phishing Attack

Google Docs Is Fine, Right?

Earlier today, a major and sophisticated attack was levied against email users.

Unlike many commonplace phishing attempts, this attack cleverly used an imposter application to compromise mailboxes and accounts, by way of Google’s own OAuth framework. It was not an imposter email, user, domain, or the like — it was a real application that happened to be written in such a way as to look like a Google Docs application.

This is perhaps one of the most sophisticated phishing attacks we have seen to date.

Malicious cloud applications are almost impossible for an ordinary user to detect; by clicking on the “Allow” button, users are giving that application permission to operate on their behalf, both reading and sending mail from their inboxes. No credentials are stolen or exchanged; multi-factor authentication is of no help here.

There is a robust write-up on Reddit with additional technical details, as well.

How To Respond

First and foremost, the obvious: don’t click.

If you’re already running GreatHorn Inbound Email Security, you are also fully protected:

  1. GreatHorn automatically created a policy for every GreatHorn account today that detected and quarantined all instances of this attack from the time of detection onwards; no user action or administrative work was required here.
  2. Additionally, GreatHorn automatically detected and either quarantined or deleted every copy of the attack message, post delivery.

Unlike a traditional email gateway, GreatHorn’s cloud-native capabilities provide unique remediation capabilities, and can reduce incident response from hours to seconds — and as with the policy, this required no user action or administrative effort.

What’s Next?

One of our core beliefs is that advanced threats will not be limited to the phishing techniques seen today. Attackers are capable of building sophisticated, multi-step, and nearly impossible-to-spot threats that traditional email-only security tools and gateways cannot block.

Not only can we expect to see threats over email that defy legacy security tools, but we also expect to see an increasing number of attacks over secondary messaging platforms. Deploying this type of attack over a chat platform (like Slack) would be as effective as doing so over email — and no email-only security tool could detect or stop it.

GreatHorn is designed to uniquely provide detection capabilities for these additional platforms, with response capabilities tailored to deal with the threats of third party applications that leverage OAuth-based permission attacks.

As today’s attack demonstrates, protecting against social engineering and phishing attacks requires automated, comprehensive, and post-delivery response capabilities. Built on a foundation of over half a billion analyzed messages and leveraging the first and only cloud-native response platform, both Inbound Email Security and Messaging Security are available today, and both offer free 7-day trials.

GreatHorn automatically detects and removes phishing attacks from your inbox. 

Begin a trial or to request more information about Inbound Email Security for G Suite.

Unpacking the “Undetectable Hack”

How GreatHorn Can Stop the Latest Gmail Phishing Attack

Over the past week, a significant amount of digital ink has been spilled about a new form of phishing attack: an embedded GMail image that leads to a fake login page. 

Media coverage has skewed heavily breathless, and articles on the subject are peppered with scary terms like “frightening,” “really devious,” and “almost impossible to stop.”  Admittedly, this is quite a convincing attack.

It begins with an email sent from an already-compromised Google account to another Google Apps / G Suite / GMail user. The email contains a (fake) attachment that’s been made to look like a common document type (Word, PDF, etc.). The “attachment” is actually an embedded image link.

email image.png

The link looks like, but is actually a unique type of link, a data:text/html link — in other words, a Data URI, rather than an HTTP URI.

url field.png

When the user clicks the image link, instead of opening an in-browser preview of the document, it directs them to a spoofed page that prompts them to log in. 

faux google login page.png
If the user then inputs their email address and password, their credentials are passed to the attacker, who then has full access to the account – unless the user has MFA (multi-factor authentication) enabled on their account.

While Google has stated that they are working on improving defenses around this kind of attack, GreatHorn’s native spear phishing protection functionality is designed to catch most of the common attack techniques:

  • Display Name Spoofs. Many phishing attacks come from an email address with a Display Name that matches someone you know (“Your Boss”, for example), but an unusual email address (“[email protected]”). These emails can be automatically highlighted to a user, warning them of a risk present in the message, and admins can preset a customizable combination of notifications and actions in order to minimize the risk they pose.
  • Domain Lookalikes. More advanced attacks will come from look-alike domains, often only a single character away from a domain you recognize and/or regularly exchange email with (“” vs “”). GreatHorn’s automated social graph analytics catches and flags these types of emails, and admins can also chose notify users, quarantine the message, or delete it outright.

warning banner.png

Additionally, we are excited to announce that next week, we will be releasing two new features that will strengthen security postures against this type of attack and expand the capabilities of the GreatHorn platform significantly: Link Analysis and Attachment Analysis. 

Link Analysis will automatically flag embedded Data URIs, and Attachment analysis will similarly flag risky email attachments. In-message alerts to recipients as well as automated remediation actions can be applied to flagged messages, and the option to send event-triggered reports to the intended recipients of dangerous messages gives security awareness training efforts more teeth. By educating employees in the moment rather than through simulations of attacks that are inevitably happening in the wild anyways, we are able to move more definitively towards a frictionless, integrated SecBizOps environment

warning page.png


Next week is a big week for us: along with releasing the new Link Analysis and Attachment Analysis features in the GreatHorn cloud communication security platform, we’re also publishing our second 2017 Spear Phishing Report. Sign up to recieve updates or get in touch to discuss how GreatHorn can help your organization protect against advanced targeted threats here.