The attacker sends an email to a victim's account that may come from someone you know who had previously had their account hacked in a similar manner, according to a 12 January blog post.

The phishing email may contain something that looks like the image of an attachment you would recognise from the sender. Once a victim clicks on the image instead of a preview of the attachments showing up, a new tab opens prompting them to log into their Gmail account.

At first glance, the URL for the new window contains accounts.google.com but upon further inspection one would notice the URL is a fraud. Once a user has entered their information into the phishing page attackers have access to a user's complete account and have been known to log into accounts immediately after getting the credentials. The technique has also been used to steal credentials from other platforms.

Researchers recommend users check their browser location bar, verify the protocol and hostname, and enable two-factor authentication to avoid compromise. Users can check their Gmail login history by clicking the “Details” button at the bottom right hand corner of their account pages, but researchers warned that there is no sure way to know and that users should change their passwords if they suspect compromise.

Some researchers said Google can help protect users from these kind of attacks is by making two-factor authentication mandatory

Bryan Burns, vice president of Threat Research at Proofpoint said there's nothing new about Gmail/gdocs phishing, which is also prevalent in Office 365, Dropbox and Drive.

“This attack suggests attackers are finding it easier to trick people than machines,” said Burns. “Based on the prevalence of macro-based downloaders for large-scale campaigns (like those used to deliver Locky ransomware), and the increase in business email compromise-type attacks, it seems likely that credential phishing will continue to be a dominant threat vector.”

We've attempted to reach Google for comment but have yet to receive a response.