You just can’t trust anyone these days, not even an official looking notification hosted on Google’s own domains: A recent attack used a legitimate looking OAth request to get folks to hand over the keys to their email castle.
The invitiation came disguised as a shared Google Doc invitation:
@zeynep Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
Unwary recipients were then taken to a page asking them to authorize their account with “Google Docs,” which seems odd but no different than a variety of other services ask for on the web. Clicking OK then granted the attacker access to the user’s GMail account, letting the attack further propagate. Someone else had registered an application with the Google Drive username, which is why the attack was able to take place on Google own servers.
Fortunately, it looks like the mischievous account has since been suspended, but not before a number of users were already caught up in the attack.