Google Docs Disruption: Phishing Scam Jolts The Enterprise

It doesn’t get much bigger in the information technology world than Google, so when the web giant takes a hit, so do many of its users.

And when a phishing scam targets one of Google’s most used collaboration tools, it’s not just users who are harmed, but entire enterprises. Such was the case Wednesday, May 3, when a very sophisticated Google Docs replication phishing scam went out to the masses, inviting users with Google accounts to open a shared document from what looked to be a legitimate Gmail account, but was actually a scam.

In a statement to the media late Wednesday, Google said:

“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

While Google tried lessening the impact by saying just 0.1% of its users were impacted, Gmail - according to Google's own reports - boasts more than 1 billion active users per month, which would result in 1 million user accounts being affected during Wednesday's hour-long scam. 

Docs is part of the Google Drive offering and allows both Gmail and non-Gmail account holders to access the same file simultaneously, making its potential reach extremely wide. But in the workplace, Docs is also part of the paid G Suite offering sold to SMBs and enterprise-size companies for use in both the desktop and mobile ecosystems.

Many enterprises use Gmail as a platform and utilize the cloud-based email capabilities and functionalities for their own digital communications.

According to a blog post by Talos Intelligence:

“This attack allowed the OAuth owner access to all of the email content and contact information for every compromised victim of the attack. This means the attacker potentially has access to all of the information within your account and the ability to read, send, delete and manage the email and contacts of the associated account. Additionally, since OAuth was used, the typical protections like changing passwords has no immediate impact on the adversaries access.”

Front and center on the G Suite landing page is the sentence, “Millions of businesses around the world have chosen G Suite,” with company names and logos below that, including Whirlpool, HP, PwC, and Salesforce. And while Google Docs is available for global use inside companies who pay for it, anyone with a Gmail account can access and use Google Drive and its functions (Docs included) for free at any time, leading to another major risk: Shadow IT.

Also according to Google's own data, about 25% of Americans are using Gmail during work hours, and the number of Gmail users who open the app on their smartphone each day is about 75%. 

In that instance it’s not hard to imagine the possibility of a Docs user falling prey to Wednesday’s scam from their work-issued or corporately-enabled device, creating a threat vector and risk factor his or her enterprise IT department hadn’t even considered.

So when one of the most-used applications in the world has a hiccup, how does your enterprise face the challenge? What security measures are in place, and which should be considered going forward to stop a scam like this from impacting your business?