Google Docs shared email (MALWARE ATTACK)

Wednesday 2:30–4:00pm ET

Scott Adamson
3 min readMay 4, 2017

This afternoon Friends Seminary in NYC (along with countless companies, schools & institutions) was impacted by a phishing attach via Google that was well built, thoughtfully crafted & designed perfectly.

First, if you are concerned or know you clicked on the link and “granted access”, to Google, do the following on your Google account (personal and/or work accounts);

  • Reset passwords — This will cause your email and any Google resource to require re-authentication with the new password (including your phone or iPad).
  • Check apps that are sharing or have permission to your Google account here within your Google account.
  • If there is an app in the list called Google Docs, revoke access immediately.
  • If there are other apps that are not recognized or have not been used in a while, might as well do some spring cleaning and revoke those as well.
  • If an app has been revoked, the next time the connected program is launched, Google will prompt for authentication again.

Now, for the story…

The first email arrived around in my inbox around 2:30pm. In less than 30 minutes the tech phones were ringing non-stop and we had received no fewer than least three emails from people that clearly had “granted access” when prompted and perpetuating itself.

[data to be updated] To give a general idea of the shift in emails, Friends has a total volume of about 20k emails/day (on a normal school day). Yesterday we saw that number spike due to this malware…

We began working to quarantine the messages (inbound/outbound + all internal messages matching the sender’s email). By around 3:30pm the scale tipped and Google along with many others started working on a fix behind the scenes. I was also able to work with some of our additional admin tools to revoke the Google Docs app globally for all of Friends minimizing the need for individuals to find and remove the app and leaving a possible backdoor open for this malware.

Google was able to address globally what many individual Google administrators were doing and blocked emails from the known offending addresses, added alerts to the questionable emails and removed access to the system that had been granted by many users (that were being used to send out the additional mail).

Why was this particularly effective?

Google has been dominating the education and not for profit spaces for a while now by offer low-cost or no cost access to email for institutions of 1000’s of users and I believe this is one reason this attach was so efficient and effective. It hit towards the end of the school day on the east coast and with so many schools using Google for their communication and document sharing and collaboration — seeing this kind of message is not uncommon and does not raise a huge red flag.

Wired has a very nice post of what happened that started and perpetuated this attack and if you do a little “googling” you will be able to find a story on most major media outlets. TechCrunch also has an article including Google’s comments about the attack and their promises to protect against this kind of attack in the future.

What’s next?

This is a wake-up call to some of the vulnerabilities of data shared and stored in the cloud and how trusting we have all become allowing shared access to data and resources across various cloud solutions.

The silver lining is this will (I’m willing to bet on this) result in stronger and more vigilant end users and systems and software (Google and Microsoft) will be driven to further protect our systems and data.