ALERT: Widespread phishing attack using fake Google Docs

Wednesday, May 3, 2017

The message below was sent to U-M IT staff groups on May 3, 2017.

Resources and news:

5/3/17, 4:35 p.m. update: If you clicked the link in the phishing email and then, on the page it directed you to, clicked the ALLOW button, you will need to remove the access you allowed to a deceptively named app, Google Docs (not the actual Google Docs). Go to Google's Apps connected to your account and select Google Docs. Then click the Remove button.
6:30 p.m. update: Rephrased the description of the phishing and legitimate links to indicate they start with https://.

5/5/17 update: Google has blocked the sender of the phishing emails and shut down the sender's site. If you checkGoogle's Apps connected to your account and do not see Google Docs listed, you do not need to take action to revoke access.

We are seeing a widespread phishing attack in which email recipients at U-M and many other universities are asked to click a link to a shared Google Doc. Many members of the U-M community are receiving multiple copies of the phishing email.

  • Subject line of the messages: <a person's name - it might be someone you know> has shared a document on Google Docs with you
  • Message content: The message names a specific person and says they have shared a document and invites the user to click an Open in Docs button.

If users click on the link they may be providing the attacker with access to their Google at U-M account.

Please inform those you work with about this phishing attack and urge them not to click the link.

Recommended Action

  • Do not click the Open in Docs link.
  • Delete the email.

To identify the phishing messages, hover over the button with your mouse (be careful not to click it). You will see the URL it is directing you to in the bottom left of your window.

  • The phishing URL begins with https:// followed by
  • Check a Google Doc sharing message that you know is legitimate, hover over the Open in Docs button, and you will see that the URL begins with https:// followed by

If in doubt, do not click the link!

To learn about phishing, see Phishing & Suspicious Email.