Client Help Desk

Call Us: (866)-570-3065

Google Docs Phishing Attack: How to Spot and Stop OAuth Consent Scams

by

Last updated: June 15, 2026

Google Docs phishing attack warning showing a fake app permission request

A Google Docs phishing attack tricks you into granting a malicious app access to your Gmail and contacts through a fake permission screen. It doesn’t steal your password. Instead it abuses OAuth consent, so the only reliable defense is controlling what you authorize.

TL;DR. The 2017 Google Docs worm spread by abusing OAuth, the system that lets apps request access to your account. Attackers still use the same trick against Gmail and Microsoft 365 today. You can’t rely on spotting a bad URL, so the real fix is controlling which apps get permission. Our cybersecurity team helps Texas businesses lock that down.

What was the 2017 Google Docs phishing attack?

In May 2017 a fast-moving worm spread across Gmail by inviting people to edit a file in Google Docs. The invitation came from someone the target actually knew, which is exactly why it worked. Clicking it led to a genuine Google sign-in screen, then a prompt to “continue to Google Docs.” That prompt granted permissions to a malicious third-party web app that had simply been named “Google Docs.” Once approved, the app could read the victim’s email and address book, then mail the same invite to every contact.

As CNN reported at the time, roughly 1 million Gmail accounts received the malicious invite, fewer than 0.1 percent of all users, and Google shut the campaign down in about 1 hour by disabling the fake accounts and pushing Safe Browsing updates. The outbreak was first documented by users on Reddit as it spread.

Why this attack was different from normal phishing

A standard email phishing scheme sends you to a fake login page and harvests your password, something you can often catch by checking the page URL. This attack never needed your password. It worked inside Google’s own system and exploited a feature, not a bug. Anyone can build a third-party app, give it a misleading display name, then ask Google users to grant it access through the real OAuth consent flow. Because the sign-in page was authentic, the usual advice to check the URL offered no protection.

Security teams call this technique consent phishing or OAuth phishing. The attacker isn’t after your credentials. They want the access token that lets an app act on your behalf, which can survive a password reset and even some multi-factor prompts.

TraitNormal email phishingConsent (OAuth) phishing
What it wantsYour passwordAn app access token
Where you landA fake login pageThe real Google sign-in
How to catch itCheck the page URLReview the app and its permissions
Stopped by MFAOften yesFrequently no
Survives a password resetNoYes, until you revoke access

Is the Google Docs phishing attack still a threat in 2026?

The specific 2017 worm was stopped, but the technique behind it is more common than ever. Microsoft warns that OAuth consent phishing remains a primary way attackers bypass passwords and MFA, and in 2025 it began enabling a managed consent policy by default so users can’t approve risky third-party apps on their own. Security firm Proofpoint also reported a sharp rise in OAuth phishing against Microsoft 365 accounts through late 2025. If your team uses cloud email and grants app permissions without oversight, this is an active risk, not a piece of 2017 history.

How to spot a fake Google Docs invite

Most consent phishing attempts share a few tells. Watch for these signals before you approve any app.

  • An unexpected document share from a contact who wouldn’t normally send you one.
  • A permission screen asking for broad access such as read, send, delete, and manage your email, for an app that should only need to open a document.
  • An app name that looks generic or slightly off, like “Google Docs” appearing as a third-party app rather than a native Google service.
  • A developer or publisher name you don’t recognize, shown in small text under the app name.
  • Urgency in the message, pushing you to open or approve quickly.

How to protect your business from OAuth consent phishing

Stopping this attack is mostly about governance, not gut instinct. These controls take the decision away from individual users.

  • Restrict third-party app access in Google Workspace and Microsoft 365 so employees can’t grant high-risk permissions without admin approval.
  • Turn on admin consent workflows, which route every new app request to IT for review.
  • Audit the apps that already have access to your tenant and revoke anything unused or unrecognized.
  • Enforce phishing-resistant multi-factor authentication across all accounts.
  • Train staff to treat a permission prompt with the same caution as a password request.
  • Monitor for unusual OAuth grants and mailbox forwarding rules, which are common signs of a stolen token.

Here’s the part most people miss. In our work with Texas businesses, the accounts that get taken over rarely have weak passwords. They have a user who clicked approve on an app that asked for too much. That’s why we treat app permission reviews as routine maintenance, not a one-time project. For a structured starting point, our guide to protecting your SMB from cyberthreats covers the broader controls every small business needs, and our checklist for identifying phishing email covers the warning signs in everyday inboxes.

What to do if you already approved a malicious app

Move quickly if you think you granted access. Open your Google Account security settings, find the third-party apps section, and remove access for anything suspicious. Then change your password, review your account for forwarding rules or filters you didn’t create, and check sent mail for messages you didn’t write. For a business account, alert your IT team right away so they can hunt for the same grant across other users.

Common questions about Google Docs phishing

Does the Google Docs phishing attack steal my password?

No. The attack never asks for your password. It uses the real Google sign-in and then requests OAuth permissions, so an attacker gains access through an approved app rather than stolen credentials.

Can multi-factor authentication stop consent phishing?

Not on its own. Because you authenticate on the genuine Google page, MFA is satisfied normally. The attacker captures an app access token afterward, which is why app permission controls matter more than MFA alone here.

How do I check which apps have access to my Google account?

Open your Google Account, go to Security, and find the section for third-party apps and services. Review each app, and remove access for anything you don’t recognize or no longer use.

Is consent phishing only a Gmail problem?

Far from it. The same OAuth abuse targets Microsoft 365 and other cloud platforms. Any service that lets third-party apps request permissions can be exploited the same way the 2017 Google Docs worm was.

How can a business prevent this at scale?

Restrict third-party app access, require admin approval for new app grants, audit existing permissions, and monitor for suspicious OAuth activity. These controls stop the attack before an employee can approve it.

Lock down OAuth access before an attacker does

Consent phishing slips past passwords and MFA, which makes it one of the easiest ways into a business inbox. Uprite helps Texas businesses configure app governance, monitor for risky grants, and train teams to recognize fake permission requests. Explore our cybersecurity services or contact us to review how your Google Workspace and Microsoft 365 permissions are set up today.

About Author

Stephen Sweeney
Stephen Sweeney is the CEO of Uprite Services, a managed IT and cybersecurity provider serving small and mid-sized businesses across Texas. He writes about workplace productivity, technology, and keeping teams secure and running smoothly.
Learn More

Related Aericle

find us

Our Locations

HOUSTON

Learn More

SAN ANTONIO

Learn More

Katy TX

Learn More

DALLAS

Learn More
View all locations →