Just before 2 p.m. CST (-0500 GMT) today I received an email from an acquaintance of mine inviting me to view a document on Google Docs. I was immediately suspicious because the 'To' field of the address was a Mailinator address, a throw away email address. Red flag number one. Red flag number two is that I wasn't expecting any documents or emails from that person and that's all I needed to know it was probably a phish. Others weren't so lucky.
It should be noted that by this point if you Googled 'Mailinator' you also saw a bunch of tweets about the phishing campaign.
It's old news in the world of security now, but for the past two hours or so someone (no one knows who yet) has been sending out a phishing email that looks exactly like the one I received.
If you clicked the link, you are taken to Google's account sign in page to authenticate with OAuth. This page is legitimate. However, if you look closely, you're actually giving access to an app called Google Docs. Let's all pause here and ask ourselves, "Why would Google Docs need my permission to access anything?". It doesn't. The app is fake and hosted on Cloudflare. It wasn't long before Cloudflare took the app down and Google revoked access so the phish is effectively dead now but here are a few questions you might have.
What if I already allowed the access? Well... the application now has access to all of your emails. It also sent a copy of the malicious email you received to everyone you've ever emailed. You should probably go ahead and revoke that access now friend. Here's how
No word yet on what the attacker is doing with information found in mailboxes. Rumors are abundant though.
Would two factor authentication have helped? Nah, sorry. 2FA wouldn't have played a role in this app gaining access since it is an OAuth phish.
Who else was affected? I heard that a bunch of schools (K-12 and colleges) and government agencies were hit pretty hard.
Here are a few articles for your reading pleasure if you need more info:
New Google Docs phishing scam, almost undetectable - Reddit
Sudden Google Docs Spam? - Reddit
A gif on Twitter of someone clicking on the link
Someone Hit the Internet with a Massive Google Doc Phishing Attack - Motherboard
I hate to sound like the mandatory phishing training everyone at every company has to take but, seriously, think before you click. I know this one looked really convincing, but there's nothing wrong with being suspicious of emails you weren't expecting to get (even if the person you sent them is someone you know).