At this time, Google has taken steps to block the use of this app completely. While you may still consider taking the steps below to mitigate any lingering effects on your domain, this issue is now considered resolved.
On 05/03/17, an invasive email phishing attack began propagating via Gmail and Google Contacts.
The nature of the attack is such that victims receive an email, possibly from a known contact (if that account also exists on Gmail and has already been affected) notifying them that a Google Doc has been shared with them, and prompting them to open the document:
If the victim clicks the "Open in Docs" link, they will be directed to a page that looks like a Google Permissions page, prompting them to allow access to Gmail and Google Contacts. However, hovering over the page will show that this is not an official Google prompt:
Granting these permissions will allow the phishing app access to the account's Gmail service and full list of contacts from Google Contacts. The app will then proceed to use the victim's account to email this same message out to all of their contact records, perpetuating the app itself and the possibility of additional installs.
To mitigate the threat of these emails, and their effects on your domain, please take the following steps:
1. Use BetterCloud to blacklist the app for your domain, which will automatically revoke the app's permissions to your users' accounts, as we receive word of them.
The app may be called "Google Docs", or may appear as a randomly generated Google User Content link name (for example: "346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com") but will be differentiated by the legitimate Google Docs service by only having permissions granted to Gmail and Google Contacts.
- Please note: BetterCloud receives new information about apps, their granted permissions, and installs via syncs. If your BetterCloud instance is currently on a cooldown period and cannot run a sync, please contact firstname.lastname@example.org, to have a new one initiated for your domain.
2. Use BetterCloud to create an email filter, which can catch any new incoming emails based on criteria you set, and apply it to all users on your domain.
- Please note: if you wish to delete this filter at a later date, your users must do so manually from within their own individual Gmail settings, as Google's API limitations prevent us from making these deletions.)
3. End users may also manually revoke any permissions they granted to their own accounts, by navigating to https://myaccount.google.com/permissions:
4. To search for any traffic by this email message on your domain, you can utilize Email Log Search in the Google Admin Console.
5. Join the BetterIT Community to stay apprised of updates to this issue, and discuss domain security with other admins and members of the BetterCloud Support team: BetterIT