The Google Doc phishing scam Attack.Phishing that conned over a million users this week illustrates how attackers cleverly respond to wider spread Attack.Phishing end-user awareness about how phishing attacks Attack.Phishing work . The attack did n't ask users to enter credentials . Instead , it exhibited very few traditional phishing scam Attack.Phishing behaviors and could n't have been detected by endpoint protections . Some researchers are calling this attack a `` game changer '' that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy . The attack tricked Attack.Phishing victims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications . The attackers did so by sending Attack.Phishing victims lure messages claiming Attack.Phishing to contain links to a shared Google Doc . Instead of a legit document , the link actually initiates a process to give a phony app masquerading as Attack.Phishing `` Google Docs '' access to the user 's Google account . If the user is already logged into Google , the connection routes that app into an OAuth permissions page asking the user to `` Allow '' access to the user 's legitimate Google Drive . `` You are n't giving your Google credentials directly to the attacker . Rather , OAuth gives the attacker permissions to act on behalf of your account . You 're on the real Google permissions page . OAuth is a legitimate way to give third-party applications access to your account . The application name is 'Google Docs , ' which is fake but convincing Attack.Phishing , '' says Jordan Wright , R & D engineer for Duo Security . `` So unless you know that Google Docs wo n't ask for your permissions , there is little you could use to determine that this was fake . '' The lure emails appear to come from Attack.Phishing Google Drive from a previous victim , making it difficult to detect as a fakeout , says Travis Smith , senior security researcher at Tripwire . `` Not only does this have a casual appearance of being legitimate , by being part of the official marketplace the link in the email went back directly to legitimate Google servers , '' says Smith . `` For those that are trained to validate the link before clicking on it , this passes two of the common techniques the majority of internet users are trained to not click on every link they come Attack.Phishing across : 'Does it come from Attack.Phishing someone you trust and validate the link is going to a trusted source ? ' '' The only big tip-off is that many of the messages seem to have an suspicious account , hhhhhhhhhhhhhhhh @ mailinator.com , cc 'd on the message , says John Bambenek , threat research manager at Fidelis Cybersecurity . He says the attack shows the glaring problem with OAuth , namely that it allows passive authentication . Netskope 's analysis found that a number of enterprise users across various industries ended up falling prey to this attack . Google worked to quickly block the attack , but there was a window of opportunity in that time between compromise and mitigation where emails , contacts , attachments and whatever else on a Google account could have been purloined , he warns . `` If an enterprise has identified that their users have granted access to the app in this attack , we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app , '' Balupari writes .