If you are a regular user of Google Docs, then be aware! Do not open any invites from others to edit a file, it may be a spam to make you as a victim of phishing scheme.
The attacker made use of a different way to phish this time. Without even gaining an access your account with a password, the phishers could harm your data. They did so by taking the advantage of the fact that one can create a web app similar to Google page but with a misleading name. That is, asking a logged-in user to grant permission to a malicious app developed by them.
According to Reddit, here is how the attack took place.
Firstly an email invitation will be sent to a victim from the person they may know. This invitation requests you to open the file in Google Docs.
Lets you select among few account
Once you open the invitation, it lets you select among few already logged in Google account. After you select the required account, the attack begins.
Asks permission to grant the access
Once done with selecting the account, it takes them to a Google sign-in page and asks them to continue with Google Docs. This helps the attacker to get the access to your mail and address book.
Because when you continue with docs, it is not an original page instead a third party malicious app which is named as ‘Google Docs'.
Developer information title
You can verify it by checking the title for developer information. It will look something like the above picture.
Regarding this, Google says, "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
Google took this issue seriously and disabled the application to fix it. Later it confirmed telling that the issue has been resolved.
Update: Google revoked the app, there's nothing more to do. Attacker likely has victim info on their servers, but no more account control.— Zach Latta (@zachlatta) May 3, 2017