Resolved
After 4 days, 7 hours, and 53 minutes

Google has disabled the offending app preventing the campaign from spreading further. Please accept our apologies for any inconvenience caused. This will be the final update for this incident.

Identified

Symantec has observed a phishing attack being sent via an impersonated “Google Docs” webapp.

Details of the attack • Messages contained the subject o “XXXXX has shared a document on Google Docs with you” • The attack used a web app to impersonate “Google Docs” o Google has disabled the reported third party application. This would prevent further compromise from this particular app. It is unknown if there are additional applications being used to accomplish the same attack at this time • Attack stopped at around 19:55 GMT

Actions taken • Following rule types deployed targeting this attack o URL Hash rules o Single signature o Header regex o Predictive heuristics

Additional Info The initial tweet from google: https://twitter.com/gmail/status/859863893484593152

Google forum tracking the issue and providing updates: https://productforums.google.com/forum/#!topic/gmail/be-_mLk_aOk

Began at:

Affected components