Phishing Alert: Attackers Use Google Workspace Apps to Steal Credentials

Stanford University’s Information Security Office (ISO) is alerting the community to the emergence of a novel phishing technique that involves legitimate Google Workspace apps sent to trick users into submitting their university credentials. Please take a moment to review the details of this tricky scam and help spread awareness.

What makes this scam unique?

What makes this scam especially dangerous is the use of trusted identifiers that normally provide assurance.

• The phishing emails come from legitimate google.com email addresses. They may appear as typical invites to edit a Google Doc, fill out a Google Form, or collaborate in Google Workspace content such as Google Sites or Sheets. They often include familiar names—like a colleague’s— and mimic Google Workspace notifications (e.g., “[Colleague name] shared a document…”).
• Both the links and websites are hosted on real google.com domains and secured with valid SSL certificates, creating a false sense of legitimacy. Some even include Stanford branding.
• The red flag? These pages eventually prompt you to enter your SUNet credentials, including your password and possibly a Duo passcode—something no legitimate Stanford request will ever ask you to do. (See example of attackers using a Google Form.)

Be vigilant; take a moment

No request from Stanford is legitimate if it asks for your credentials, such as your SUNet password or Duo passcodes. 

Attackers are exploiting a flaw in Google Workspace to send emails that include authentic google.com sender information. This technique helps bypass email malware detection, giving users a false sense of security when reviewing work-related emails.

What can you do?

• If you believe you’ve submitted your SUNet credentials to a malicious website, change your password immediately at https://accounts.stanford.edu/. Acting quickly helps protect your account and Stanford’s systems—don’t delay.
• It’s human nature to want to rush through any given form or document and supply the information that’s requested. Take a pause and be mindful of what’s being asked of you prior to hitting the submit button.
• Speak to the sender of questionable emails to validate the legitimacy of the message. If you suspect a phishing attempt, use the Report Phishing button in Outlook or forward email to phishing@stanford.edu.
• Never approve uninvoked or questionable Duo authentication prompts. Decline the authentication request, then use Duo’s built-in option to report fraud, which will temporarily pause further prompts.
• Opt into URL Defense, which helps protect users by evaluating links from external email senders.
• Use Stanford Slack to connect directly with ISO staff by joining the #iso-public channel; get important cybersecurity announcements by joining the #ciso-announce channel. Both channels are available across all Stanford workspaces.