Fake Google OAuth App Consent Phishing
Attackers send phishing emails with links to legitimate-looking Google OAuth consent screens for malicious applications, tricking users into granting the app persistent access to their Gmail, Drive, or Google account.
Part of: Social Login & OAuth Phishing
Last reviewed: 7 June 2026
One of the most technically sophisticated forms of Google account phishing does not steal your password at all. Instead, it tricks you into voluntarily granting a malicious application access to your Google account through the legitimate Google OAuth consent mechanism. Because no password is captured and the entire flow occurs on real Google infrastructure, traditional phishing defences may not detect it.
This attack vector was popularised by the 2017 'Google Docs phishing' campaign, which spread virally through Gmail by getting recipients to grant a malicious app named 'Google Docs' access to their email. Google revoked the app and added protections, but variants of this technique continue to appear.
The key insight for users is that an OAuth consent screen on a real Google domain is not automatically safe — what matters is the name and publisher of the application requesting access, and whether the permissions it seeks are appropriate.
How this scam works on the Google brand
An attacker creates a Google Cloud application with a name and branding that mimics a legitimate service — 'Google Security Check', 'Shared Document Viewer', or the name of a real well-known app. They register the app in the Google Cloud Console, which Google allows any developer to do. The app then requests sensitive OAuth permissions such as read/write access to Gmail and Drive.
The phishing email claims to be a document share, a security alert, or a software activation prompt, and includes a link. Because the link resolves to accounts.google.com/o/oauth2 — a real Google URL — it passes email security filters. The Google-hosted consent screen asks the user to grant the malicious application access. Users who click 'Allow' grant persistent account access without entering a password.
The attacker can then use the application token to read emails, exfiltrate files, or send phishing emails from the victim's account to their contacts, spreading the attack further.
Common red flags
- An unsolicited email asks you to click a link to authorise a Google application
- The OAuth consent screen names an application you have not heard of or did not intentionally choose to connect
- The application requests access to Gmail, Drive, or Contacts in an email about a document share or security check
- The application publisher name in the consent screen is an individual or unknown company, not a recognised organisation
- Google's own unverified-app warning appears on the consent screen — this indicates the app has not been reviewed by Google
- The consent screen permissions include 'View and manage all your Gmail messages' for what is supposedly a simple file share
How to protect yourself
- Review all applications with access to your Google account at myaccount.google.com/permissions and revoke any you do not recognise
- Pay attention to the application publisher name and permissions before clicking 'Allow' on any OAuth consent screen
- If a consent screen shows a Google security warning about an unverified app, do not proceed without strong justification
- Use Google's Advanced Protection Program — it restricts OAuth access to a pre-approved list of applications
- Be suspicious of any email that asks you to click a link and authorise a Google application as a required step
How to report it
- Revoke the malicious app's access at myaccount.google.com/permissions immediately
- Report abusive OAuth applications to Google via the 'Report' option on the consent screen
- Forward the phishing email to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
If I authorised a malicious Google app, does the attacker have my password?
No. An OAuth access token allows the application to act on your behalf within the permitted scopes, but does not expose your actual password. However, if the token includes Gmail access, the attacker can read your emails, including password-reset emails from other services. Revoking the token at myaccount.google.com/permissions stops future access.
How do I tell a legitimate Google OAuth app from a malicious one?
Check the application publisher name and verify it against the company's official website. Legitimate applications have a green 'Verified' status on the consent screen. If Google shows a warning about an unverified app, treat it with significant caution. The permissions requested should be proportionate to what the app claims to do.
Can I see what a Google app accessed after I revoked it?
After revoking access, the application can no longer access your account. To review what may have been accessed while the token was active, check your Gmail activity at myaccount.google.com and Google Drive audit logs. For work accounts, your administrator can review audit logs in the Google Workspace Admin Console.