As many email users know, phishing attacks—or emails that impersonate a trusted source to trick users into sharing information—are a pervasive problem. If you use Gmail, you can rest assured that every day, millions of phishing emails are blocked from ever reaching your inbox.
This week, we defended against an email phishing campaign that tricked some of our users into inadvertently granting access to their contact information, with the intent to spread more phishing emails. We took quick action to revoke all access granted to the attacker as well as steps to reduce and prevent harm from future variants of this type of attack.
Here’s some background to help you understand how the campaign worked, how we addressed it and how you can better protect yourself against attacks.
How the campaign worked and how we addressed it
Victims of this attack received an email that appeared to be an invite to a Google Doc from one of their contacts. When users clicked the link in the attacker’s email, it directed them to the attacker’s application, which requested access to the user’s account under the false pretense of gaining access to the Google Doc. If the user authorized access to the application (through a mechanism called OAuth), it used the user's contact list to send the same message to more people.
Upon detecting this issue, we immediately responded with a combination of automatic and manual actions that ended this campaign within an hour. We removed fake pages and applications, and pushed user-protection updates through Safe Browsing, Gmail, Google Cloud Platform, and other counter-abuse systems. Fewer than 0.1% of our users were affected by this attack, and we have taken steps to re-secure affected accounts.
We protect our users from phishing attacks in a number of ways, including:
- Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection
- Providing Safe Browsing warnings about dangerous links, within Gmail and across more than 2 billion browsers
- Preventing suspicious account sign-ins through dynamic, risk-based challenges
- Scanning email attachments for malware and other dangerous payloads
In addition, we’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users.
How users can protect themselves
We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites. In addition, here are a few ways users can further protect themselves:
How G Suite admins can protect their users
We’ve separately notified G Suite customers whose users were tricked into granting OAuth access. While no further admin or user action is required for this incident, if you are a G Suite admin, consider the following best practices to generally improve security:
- Review and verify current OAuth API access by third-parties.
- Run OAuth Token audit log reports to catch future inadvertent scope grants and set up automated email alerts in the Admin console using the custom alerts feature, or script it with the Reports API.
- Turn on 2-step verification for your organization and use security keys.
- Follow the security checklist if you feel that an account may be compromised.
- Help prevent abuse of your brand in phishing attacks by publishing a DMARC policy for your organization.
- Use and enforce rules for S/MIME encryption