Cyber Security

How To Stop The Sudden New ‘Google Docs’ Email Attack

The malicious code attacked countless users on Wednesday. Here's how it works and what to do if you clicked

Cyber Security
Illustration: Vocativ
May 03, 2017 at 4:36 PM ET

An email scheme — in which someone you may know sends you a link that looks an awful lot like a link to Google Docs — spread like wildfire on Wednesday.

As of this writing, there’s no way to tell the scale of the attack — considered a worm, because of how it exists to replicate itself — though it is significant. From accounts social media alone, it’s clear that numerous news outlets, law firms, and high schools and colleges have been affected. At least four Vocativ employees have received such emails. Google revoked the program late Wednesday afternoon, though it’s unclear what information victims have sent to the unknown attacker who created it. 

In a statement, Google said that “We have taken action to protect users against an email impersonating Google Docs,” and that its security team had “disabled offending accounts.” Google didn’t immediately respond to a followup question about how many people would be unable to access their account, though one victim did show Vocativ

The trick here is that though the email that shows up in a victim’s inbox appears to be a straightforward link to a Google Docs document, it’s actually a third-party service that Google has, inexplicably, been allowed to name itself “Google Docs.” If you fell for the scheme, as noticed by Zach Latta, an engineer and the executive director of Hack Club, whoever’s behind the attack will then ask for full permission to your Google email account — something you obviously don’t want a stranger to have.

“Basically, when you click the button, you’re doing the same thing as clicking a ‘login with Google’ button on some legit website,” Latta told Vocativ.

From there, it appears that this malicious script self-propagates by sending the same kind of email to the contacts of whoever it just compromised. It’s unclear if it then proceeds to wreak further damage.

It’s important to note that if you fall for the scheme, you should change your password — but that’s not all.

It’s unclear if Google has preempted this step, but in case not, any potential victim should also revoke permissions from the fake “Google Docs” app. It’s actually pretty easy to see which apps have permissions, though, and something every Google user should review from time to time to make sure they haven’t accidentally given permissions to a third party who shouldn’t have them.

Just go to to see who has access to your Google account and revoke any that don’t belong there. If a suspicious “Google Docs” is at the bottom, that’s probably the malicious script.

Fortunately, it appears that right now, the malicious code did little except propagate itself. Cooper Quintin, staff technologist at the Electronic Frontier Foundation who’s currently studying this attack, said that it’s created to send victims’ information to at least three different servers — but all three are currently down.

That’s no mistake, according to Cloudflare, one of the internet’s largest providers of DNS services — essentially an internet phone book, translating the text of a URL to the numerical address of another website’s server. The domains set to receive messages from the malicious Google Docs code actually used Cloudflare, prompting the company to shut down its service to each of them. That’s not quite the same thing as knocking them offline, but it would stand to minimize the worm’s effectiveness before Google could shut down the fake app.