The phishing message was especially nasty because of its polish. Uncharacteristically for phishing, there were few errors in the message, and it was created in a way that made it quite enticing to click on the “Google Doc” link and see what you were ostensibly sent from a trusted sender — someone in your contacts list, or in your organization.
Since the messages were sent by the attacker using OAuth credentials attached to legitimate Google accounts, the messages appeared to be (and technically were) from actual people that you should know, including showing their photo. Even checking the received headers and other technical steps you could take to verify the provenance of a message showed the message was legitimately sent through GMail… because it was. Clicking the “Open in Docs” button sent you into an OAuth flow asking for permission to tie your Google Account to a (fake) app called – wait for it – “Google Docs”. After receiving that, the fake app then requested access to your Gmail account. Once it had those permissions, it automatically started to mail the link to itself to everyone in your address book (then deleted the sent messages to try to avoid leaving a trace) – and if anyone clicked the link and authorized the app, it sent itself to all of those people, etc. etc. etc.
The payload of the attack appeared to just replicate the message (and phone home to Google Analytics to calculate statistics on how many suckers got hit,) from what little analysis we’ve seen, but there is real reason to be concerned. Access to your Gmail account is equivalent, in a lot of cases, for access to your entire digital life.
The attack payload could have waited to get a high-value account and forged a message saying basically anything. It could have read your email inbox and sent any message anywhere for its own analysis later. It could have emailed all your contacts your match.com messages, or emailed your boss your LinkedIn activity. Some versions of the attack even asked for Google Drive access – providing an easy way for the attacker to steal company secrets or proprietary data… or just delete it all and ruin your day.
We all really dodged a bullet here, but we need to continue to be vigilant. Be extremely cautious allowing anything access to your email account – if not for your own sake, for the sake of everyone who emails you.