OAUTH phishing against Google Docs ? beware!, (Wed, May 3rd)

We got several reports (thanks to Seren Thompson, Tahir Khan and Harry Vann) about OAUTH phishing attacks against Google users. The phishing attack arrives, of course, as an e-mail where it appears that a user (potentially even one on your contact list, so it looks very legitimate) has shared a document.

An image of such an e-mail is shown below:

Phishing email

If you click on the link (Open in Docs), you will be redirected to the OAUTH2 service on accounts.google.com – the target URL will look like this:


In browser, this is what you get:

As you can see, it appears as Google Docs wants full access to my Gmail as well as my contacts. Of course, this is not real Google Docs – the attacker has simply named his “application” Google Docs – this can be verified by clicking on the Google Docs text where the real web site behind this and developer info is shown:

Obviously, once you allow access it is game over – the attacker probably uses the phishied Gmail account to further distribute phishing e-mails – we’ll see if we can get more details.

So far at least the following domains are included:



The domains are definitely malicious – the URL leads to jsserver.info where a fake alert that the computer is infected is shown.




Source: SANS Internet Storm Center, InfoCON: green @ May 3, 2017 at 02:39PM